379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e

General

Target

Order_948575494759.xls
Size

1.1MB
MD5

6bcc53dc843155e886f469778b4216f1
SHA1

ca277194f41d84c108389a788d7281e7566ed9f0
SHA256

379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e
SHA512

cd6da13c89795461e4b804be52500b9db81887d18cadb0dd431cc49850db189f4e6dbb9731810d3ae55c7145ee46ee5fdc9e9606dfc73b08c2d9e5a9169abc28
SSDEEP

12288:y8zJmzHJEUiOIBUzMTSSD3DERnLRmF8DhEPpxpsAQx1Zj+jLEPHbrpW8osAz85qW:MBanbARM8At8Z+j6RsSIUAI

Score

10^/10

phishing

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1836	936	mshta.exe	82

Detected phishing page
phishing

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
936	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE
936	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1836	936	EXCEL.EXE	87
PID 936 wrote to memory of 1836	936	EXCEL.EXE	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order_948575494759.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\System32\mshta.exe
  C:\Windows\System32\mshta.exe -Embedding
  2⤵
  - Process spawned unexpected child process
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
8d36ce587a35294b2382abf6cc079c7a

SHA1
819af38636f1b01d8b29f2c0da042a23c3b80539

SHA256
1725897f7c2526d7a51d8839574451e60939d0d4bb180c925e50f168b20599e1

SHA512
bee941f61e40415120efd4da9e36330e81738092c211fc8b099524390a758574f74d2bfd49a8b4f780836e002eb435be50c14f97c4456b0d52950885d4a08a2a

Download Submit
memory/936-20-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-3-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/936-18-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-4-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/936-9-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-11-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-14-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-15-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-16-0x00007FFA9B980000-0x00007FFA9B990000-memory.dmp

Filesize
64KB

Download
memory/936-13-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-17-0x00007FFA9B980000-0x00007FFA9B990000-memory.dmp

Filesize
64KB

Download
memory/936-21-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-22-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-0-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/936-1-0x00007FFADDE6D000-0x00007FFADDE6E000-memory.dmp

Filesize
4KB

Download
memory/936-2-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/936-12-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-10-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-8-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-7-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-6-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-5-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/936-19-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-51-0x00007FFADDE6D000-0x00007FFADDE6E000-memory.dmp

Filesize
4KB

Download
memory/936-50-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/936-52-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/1836-47-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/1836-56-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/1836-57-0x00007FF692EE0000-0x00007FF692EE8000-memory.dmp

Filesize
32KB

Download
memory/1836-43-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads