be43fdebede61ab9a4fb2638237498d62f74ac031477ad0546f8d679a97df801

General

Target

SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
Size

916KB
MD5

1f153afa1eb2fc6c36833561df336720
SHA1

702a477651fb5c0157eeafaf536cd5db47644ed7
SHA256

4ea340bd4396f2dc2550ce2de10c7787242a29e2f0f2602b85f41a89e9059227
SHA512

0d1d5949804651dd3ee72606a2a7386a4d84683e3ed9d3f7ce33f7a1edf274a6273ce6e2c5474451d8613a7a056865d2b823235951d786e6063d8057075cb660
SSDEEP

12288:mEmzpE5j6jRPLjRPqjBjjyjBjBjBjBjLjG+jdgjkJtymmDXnUFmnwFMENYGvW53:tvILyJDcMAaIW5

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2516	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	32
PID 2568 wrote to memory of 2516	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	32
PID 2568 wrote to memory of 2516	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	32
PID 2568 wrote to memory of 2516	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	32
PID 2568 wrote to memory of 1740	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	33
PID 2568 wrote to memory of 1740	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	33
PID 2568 wrote to memory of 1740	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	33
PID 2568 wrote to memory of 1740	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	33
PID 2568 wrote to memory of 2600	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	34
PID 2568 wrote to memory of 2600	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	34
PID 2568 wrote to memory of 2600	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	34
PID 2568 wrote to memory of 2600	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	34
PID 2568 wrote to memory of 1252	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	35
PID 2568 wrote to memory of 1252	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	35
PID 2568 wrote to memory of 1252	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	35
PID 2568 wrote to memory of 1252	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	35
PID 2568 wrote to memory of 1988	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	36
PID 2568 wrote to memory of 1988	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	36
PID 2568 wrote to memory of 1988	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	36
PID 2568 wrote to memory of 1988	2568	SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe	36

C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe"
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe"
  2⤵
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe"
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA {JAN} & Swift HSBCCNSHXXX confirmation_xlsx.exe"
  2⤵
  PID:1988

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x0000000000390000-0x000000000047C000-memory.dmp

Filesize
944KB

Download
memory/2568-2-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-6-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2568-7-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2568-8-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-9-0x0000000004E10000-0x0000000004E58000-memory.dmp

Filesize
288KB

Download
memory/2568-10-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads