Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-05-2020 15:54
Static task
static1
Behavioral task
behavioral1
Sample
29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm
Resource
win7v200430
General
-
Target
29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm
-
Size
86KB
-
MD5
a758f5bfaeb275b5dfaf5be55a8b087b
-
SHA1
eff178dfef00ee753f4a540107632e43ec4a4ef9
-
SHA256
29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366
-
SHA512
7e96b281aa9433bb05073ff0ee9cb9d94384ef6cf9b801d11d5d420d647c79310f18485fab340afa8d0eb9bcdc64ec7cf885ee5636fc7edcfbbfe54ff208f364
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3896 msiexec.exe Token: SeSecurityPrivilege 3896 msiexec.exe -
Enumerates connected drives 3 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2712 set thread context of 3896 2712 rundll32.exe msiexec.exe -
Blacklisted process makes network request 17 IoCs
Processes:
msiexec.exeflow pid process 28 3896 msiexec.exe 29 3896 msiexec.exe 30 3896 msiexec.exe 31 3896 msiexec.exe 32 3896 msiexec.exe 33 3896 msiexec.exe 34 3896 msiexec.exe 35 3896 msiexec.exe 36 3896 msiexec.exe 37 3896 msiexec.exe 38 3896 msiexec.exe 39 3896 msiexec.exe 40 3896 msiexec.exe 41 3896 msiexec.exe 42 3896 msiexec.exe 43 3896 msiexec.exe 44 3896 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3896 msiexec.exe 3896 msiexec.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE 1008 EXCEL.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1008 wrote to memory of 2420 1008 EXCEL.EXE rundll32.exe PID 1008 wrote to memory of 2420 1008 EXCEL.EXE rundll32.exe PID 2420 wrote to memory of 2712 2420 rundll32.exe rundll32.exe PID 2420 wrote to memory of 2712 2420 rundll32.exe rundll32.exe PID 2420 wrote to memory of 2712 2420 rundll32.exe rundll32.exe PID 2712 wrote to memory of 3896 2712 rundll32.exe msiexec.exe PID 2712 wrote to memory of 3896 2712 rundll32.exe msiexec.exe PID 2712 wrote to memory of 3896 2712 rundll32.exe msiexec.exe PID 2712 wrote to memory of 3896 2712 rundll32.exe msiexec.exe PID 2712 wrote to memory of 3896 2712 rundll32.exe msiexec.exe PID 3896 wrote to memory of 864 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 864 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 864 3896 msiexec.exe cmd.exe PID 864 wrote to memory of 4004 864 cmd.exe ipconfig.exe PID 864 wrote to memory of 4004 864 cmd.exe ipconfig.exe PID 864 wrote to memory of 4004 864 cmd.exe ipconfig.exe PID 3896 wrote to memory of 3740 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 3740 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 3740 3896 msiexec.exe cmd.exe PID 3740 wrote to memory of 2888 3740 cmd.exe net.exe PID 3740 wrote to memory of 2888 3740 cmd.exe net.exe PID 3740 wrote to memory of 2888 3740 cmd.exe net.exe PID 2888 wrote to memory of 2196 2888 net.exe net1.exe PID 2888 wrote to memory of 2196 2888 net.exe net1.exe PID 2888 wrote to memory of 2196 2888 net.exe net1.exe PID 3896 wrote to memory of 3468 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 3468 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 3468 3896 msiexec.exe cmd.exe PID 3468 wrote to memory of 692 3468 cmd.exe net.exe PID 3468 wrote to memory of 692 3468 cmd.exe net.exe PID 3468 wrote to memory of 692 3468 cmd.exe net.exe PID 3896 wrote to memory of 3948 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 3948 3896 msiexec.exe cmd.exe PID 3896 wrote to memory of 3948 3896 msiexec.exe cmd.exe PID 3948 wrote to memory of 944 3948 cmd.exe net.exe PID 3948 wrote to memory of 944 3948 cmd.exe net.exe PID 3948 wrote to memory of 944 3948 cmd.exe net.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2712 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1008 EXCEL.EXE -
Runs net.exe
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2420 1008 rundll32.exe EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" mHMUKpx.dll,DllRegisterServer2⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" mHMUKpx.dll,DllRegisterServer3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe4⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation7⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all6⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all /domain6⤵
- Discovers systems in the same network