72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

General

Target

test.zip
Sample

190821-b2h8n5wv9n
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 18 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\MenuExt (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE/3000"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\excel (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\excel\WarnOnOpen = "0"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-excel (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-excel\WarnOnOpen = "0"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint\WarnOnOpen = "0"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\powerpoint (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\powerpoint\WarnOnOpen = "0"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-word (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-word\WarnOnOpen = "0"
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2954406958-2705520783-2368962566-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word\WarnOnOpen = "0"

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx 1 TTPs
Suspicious use of FindShellTrayWindow 1 TTPs

Process Injection
T1055
windows_cmd_obfuscation

process_martian 1 IoCs

description	pid
Parent 2748 is not expected to spawn this process	2748

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 2748 wrote to memory of 2696	2696	Process not Found

windows_cmd_obfuscation
powershell_downloader 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 3068 wrote to memory of 2792	2792	Process not Found

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses

Analysis

Sharing

General

Malware Config

Signatures

Processes