bd60f3de34af2f263cd93e5456c777e0ced39dfc250f258f9029c266abc65144

General

Target

RFQ Data Sheet Technical Specifications Conditioning System Package_PFD.xls
Size

327KB
MD5

cc61a84acf7b534e532fab431480c33c
SHA1

88b007d75f1f24d6001b9e9257dc97c800c78ba2
SHA256

9b1162db6e8c02d209e9de6803f5639e9994b2752efcdae10462b5cc008e8218
SHA512

2d7bbefb32432330080224c8a167321e1b89d777edbac30e8cb7bd396505b7fd03c316d89d0721b49ccded8d6ec1d9aa8879d0a58b520138a7e80018f412168f
SSDEEP

6144:IrwfU+iLch1FKYPEpAMcZ0MnADLVw0EAq6aQozyPpFSncaI2bnfjt4E:IrwaYZ1eAMcZD/rOmgUnfh4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1016	3764	mshta.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3764	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	Process
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

EXCEL.EXE

description	pid	Process	procid_target
PID 3764 wrote to memory of 1016	3764	EXCEL.EXE	93
PID 3764 wrote to memory of 1016	3764	EXCEL.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ Data Sheet Technical Specifications Conditioning System Package_PFD.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\System32\mshta.exe
  C:\Windows\System32\mshta.exe -Embedding
  2⤵
  - Process spawned unexpected child process
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
fe2e7726f96a2d146b605cf0e42c24ef

SHA1
dd8e9906e7830fcbfca83a3ee722a7e8937715a3

SHA256
08d078748b47ef32290ddbbf2619901fbeefc49d8f51b0a428f9ceb09eb86824

SHA512
5880f80c9fed26975903da1ffe762531c5a24606d41bdb6dd8409c36d83f37b745159cd68519b363be2cccaa30149606815952b89b0fe42eb71b2e150fab63bd

Download Submit
memory/1016-40-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/1016-36-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/1016-38-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/1016-39-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/1016-46-0x00007FF624760000-0x00007FF624768000-memory.dmp

Filesize
32KB

Download
memory/1016-41-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/1016-53-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-9-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-43-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-8-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-11-0x00007FF9E5340000-0x00007FF9E5350000-memory.dmp

Filesize
64KB

Download
memory/3764-3-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-2-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-82-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-4-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-6-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-10-0x00007FF9E5340000-0x00007FF9E5350000-memory.dmp

Filesize
64KB

Download
memory/3764-44-0x00007FFA277ED000-0x00007FFA277EE000-memory.dmp

Filesize
4KB

Download
memory/3764-45-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-7-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-1-0x00007FFA277ED000-0x00007FFA277EE000-memory.dmp

Filesize
4KB

Download
memory/3764-5-0x00007FFA27750000-0x00007FFA27945000-memory.dmp

Filesize
2.0MB

Download
memory/3764-80-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-79-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-81-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-78-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download
memory/3764-0-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads