723910e9a945ddb57024e859856534b1e757e77156b475b099c098932d3a711a

General

Target

723910e9a945ddb57024e859856534b1e757e77156b475b099c098932d3a711a.xls
Size

65KB
MD5

dc293b7ab92047bf4bf8323963480360
SHA1

d225a9669bcb6acd9ac97e4175cd19690e398712
SHA256

723910e9a945ddb57024e859856534b1e757e77156b475b099c098932d3a711a
SHA512

cd36d67b5f8ac76cbe9f7c7f17d8de01f93d43ac50f919b82dec3d3b5f2979319a52d0449e981007755cd77464b42fd66ecbf7f64fdb32ba7ec243a724e378b5
SSDEEP

1536:unSGTyFRchUXmdand4NhZFGzElMPAArCAqxHshAp+TuxM+cu/gPnAC:unSGTyFRchUXmdand4NhZFGzElMPAAr5

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	568	5080	certutil.exe	EXCEL.EXE

Executes dropped EXE 1 IoCs

Processes:

W4M1F7V5.exe

pid process

2348 W4M1F7V5.exe

pid	process
2348	W4M1F7V5.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

5080 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 5080 wrote to memory of 568	5080	EXCEL.EXE	certutil.exe
PID 5080 wrote to memory of 568	5080	EXCEL.EXE	certutil.exe
PID 5080 wrote to memory of 2348	5080	EXCEL.EXE	W4M1F7V5.exe
PID 5080 wrote to memory of 2348	5080	EXCEL.EXE	W4M1F7V5.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\723910e9a945ddb57024e859856534b1e757e77156b475b099c098932d3a711a.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SYSTEM32\certutil.exe
certutil -decode C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\H1J3M9N7.txt C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W4M1F7V5.exe
2⤵
- Process spawned unexpected child process
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W4M1F7V5.exe
C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W4M1F7V5.exe
2⤵
- Executes dropped EXE
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\H1J3M9N7.txt
Filesize
30KB

MD5
6b2506098c106875c779cfdf2fd19765

SHA1
596e3585a364e6f5b5f808f2d9d59eecfd3cebdf

SHA256
8bce620e02f99588b9ebfa0eee850c29936c144fec87199420cde719b5fad70c

SHA512
dcb057f5cd41c21cecf7a8cf4700a0c0ce179ed1c1416e6509281977b2da8a3804cf625232c3486b5cd49509189cfbb8877913f415fde154e576f587de2dd094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W4M1F7V5.exe
Filesize
22KB

MD5
e425c9be18b35075902167172e0722eb

SHA1
f1c91d6333c19be31b8fbff24eb3be6467ebb435

SHA256
e378781d0393d3f1a8b0a43abfe8c90d9956224109aa87d5832be3da70f19207

SHA512
4eff6cfe2e0f77e7690586767f2c23a72c9224af3f3970b9170a446b5c252fea7053ca4235e5eeeed45f5deacd29d974393ccb9dc80fd5d7e3ae601f8ab5b2fa

Download Submit
memory/2348-57-0x00007FF623A20000-0x00007FF623A2E000-memory.dmp

Filesize
56KB

Download
memory/2348-46-0x00007FF623A20000-0x00007FF623A2E000-memory.dmp

Filesize
56KB

Download
memory/5080-6-0x00007FFAD4290000-0x00007FFAD42A0000-memory.dmp

Filesize
64KB

Download
memory/5080-30-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-7-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-8-0x00007FFAD4290000-0x00007FFAD42A0000-memory.dmp

Filesize
64KB

Download
memory/5080-0-0x00007FFAD4290000-0x00007FFAD42A0000-memory.dmp

Filesize
64KB

Download
memory/5080-9-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-10-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-11-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-13-0x00007FFAD1EC0000-0x00007FFAD1ED0000-memory.dmp

Filesize
64KB

Download
memory/5080-12-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-14-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-15-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-16-0x00007FFAD1EC0000-0x00007FFAD1ED0000-memory.dmp

Filesize
64KB

Download
memory/5080-23-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-26-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-5-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-33-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-34-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-35-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-3-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-4-0x00007FFAD4290000-0x00007FFAD42A0000-memory.dmp

Filesize
64KB

Download
memory/5080-1-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-47-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-48-0x00007FFB14210000-0x00007FFB14405000-memory.dmp

Filesize
2.0MB

Download
memory/5080-49-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-50-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-51-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-52-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-56-0x0000028528D10000-0x0000028529510000-memory.dmp

Filesize
8.0MB

Download
memory/5080-2-0x00007FFAD4290000-0x00007FFAD42A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads