Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    08-07-2020 09:24

General

  • Target

    Orderfor july.xlsx

  • Size

    14KB

  • MD5

    d27eeb485092524e4b2080ec1260da80

  • SHA1

    ea9031e9ffdefbcd760ca2dcc8f5c7015e113b51

  • SHA256

    f58398d719869f9ce7478274ee24fe8c714184d37289efc2496c0ba52c64e0ce

  • SHA512

    23f5b1089624c01804a7aec893c6a465f028347be52ff78d0505e38b847e2537a6ccebb65e01a1d9aa45cb4a1fbb60e06d34d182203dfd38169729e169f22a7f

Malware Config

Signatures

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Adds Run entry to policy start application 2 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    PID:1228
    • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orderfor july.xlsx"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1492
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • System policy modification
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      • Adds Run entry to policy start application
      PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\regasms.exe"
        3⤵
          PID:1648
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:2020
      • C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Launches Equation Editor
        • Loads dropped DLL
        • Blacklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:336
        • C:\Users\Admin\AppData\Roaming\regasms.exe
          C:\Users\Admin\AppData\Roaming\regasms.exe
          2⤵
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          PID:1760
          • C:\Users\Admin\AppData\Roaming\regasms.exe
            C:\Users\Admin\AppData\Roaming\regasms.exe
            3⤵
            • Suspicious behavior: MapViewOfSection
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Executes dropped EXE
            PID:1880

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\2MAB93A4\2MAlogim.jpeg

      • C:\Users\Admin\AppData\Roaming\2MAB93A4\2MAlogrf.ini

      • C:\Users\Admin\AppData\Roaming\2MAB93A4\2MAlogri.ini

      • C:\Users\Admin\AppData\Roaming\2MAB93A4\2MAlogrv.ini

      • C:\Users\Admin\AppData\Roaming\regasms.exe

      • C:\Users\Admin\AppData\Roaming\regasms.exe

      • C:\Users\Admin\AppData\Roaming\regasms.exe

      • \Users\Admin\AppData\Roaming\regasms.exe

      • \Users\Admin\AppData\Roaming\regasms.exe

      • memory/1648-10-0x0000000000000000-mapping.dmp

      • memory/1760-2-0x0000000000000000-mapping.dmp

      • memory/1880-5-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

      • memory/1880-6-0x000000000041E2E0-mapping.dmp

      • memory/1920-8-0x0000000000000000-mapping.dmp

      • memory/1920-12-0x0000000003270000-0x0000000003308000-memory.dmp

        Filesize

        608KB

      • memory/1920-11-0x0000000003000000-0x000000000316F000-memory.dmp

        Filesize

        1.4MB

      • memory/1920-9-0x0000000000250000-0x000000000026C000-memory.dmp

        Filesize

        112KB

      • memory/2020-14-0x000000013FC60000-0x000000013FCF3000-memory.dmp

        Filesize

        588KB

      • memory/2020-13-0x0000000000000000-mapping.dmp