60a66c5d9d508a2cfa80510a9630660910e00b96356934cadbbc41404afb37ac

General

Target

ca67156efa90ee91d28ffde2cced06142e79316704c5b3bafe74b980b806e031.xlsm
Size

42KB
MD5

c2f9809cf3145aad896839336e6c8870
SHA1

7a5558f20e60820a261f4ea4c86d7b7232520f07
SHA256

ca67156efa90ee91d28ffde2cced06142e79316704c5b3bafe74b980b806e031
SHA512

8fe02e9dee2a2a631b2c906bbf5625238dbdf079e47b839e784e076fd45fd1be6ab865af725986a51e9ea4aa31018eb1bcfd7e7dc5a8527bc01d667db28cfb77
SSDEEP

768:hEx/KgamErbZjfyS56agBDh8efxqVrEmzhRgEICHgSo5FNW3zuq:sCtW6efzi/OCASMNAt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4640	malcod.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\malcod.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1920	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1920	EXCEL.EXE
1920	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4640	1920	EXCEL.EXE	98
PID 1920 wrote to memory of 4640	1920	EXCEL.EXE	98

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ca67156efa90ee91d28ffde2cced06142e79316704c5b3bafe74b980b806e031.xlsm"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920
- C:\WINDOWS\Tasks\malcod.exe
  C:\WINDOWS\Tasks\malcod.exe
  2⤵
  - Executes dropped EXE
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
abb5cf8392c9ee05644b943b36781e6c

SHA1
6fe7e1af4fd9cc65d8d70d4cecd2511793801570

SHA256
9b04d02ff7b43eb6a4aa00cbb61ed24344fdcefeb77d84e6569e7684d5fcb210

SHA512
1888b15ffa2f2cc29d1f0c20cc0e4960de2dfecb91385a14a015664ecc9d7761240957d2fd8cc7a48d932c97a38a821cef122ddbf5bcf8e56e950fbf16624a93

Download Submit
C:\Windows\Tasks\malcod.exe

Filesize
11KB

MD5
77bfcca0a57983b380d6f732b2dd145c

SHA1
6d9b5261aac522192839d5e3310dafdb18f52ffa

SHA256
8a98f8e6dd13660d8bb84a92a1aa852a077d932c483d2ef2ad03fddc88f173de

SHA512
867d16035d233c6a0f72d4a8f36682de9b5ca17896f29fcf043c704ee4bbf57b605bc679f13feb7b391ff1668fbcd646ae61221365000834f3b817b5fec2e31c

Download Submit
memory/1920-9-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-12-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-6-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-5-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/1920-7-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/1920-11-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-17-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-13-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-14-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

Filesize
64KB

Download
memory/1920-10-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-0-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/1920-2-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/1920-39-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-15-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

Filesize
64KB

Download
memory/1920-8-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-4-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-16-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-56-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-57-0x00007FFF68E8D000-0x00007FFF68E8E000-memory.dmp

Filesize
4KB

Download
memory/1920-58-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-59-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-1-0x00007FFF68E8D000-0x00007FFF68E8E000-memory.dmp

Filesize
4KB

Download
memory/1920-68-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1920-3-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads