Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 06:16
Static task
static1
Behavioral task
behavioral1
Sample
MV SPYRO AFEA VOY 156 PARTICULARS.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
MV SPYRO AFEA VOY 156 PARTICULARS.xlsm
Resource
win10v200430
General
-
Target
MV SPYRO AFEA VOY 156 PARTICULARS.xlsm
-
Size
51KB
-
MD5
63e87619e5dcb07ca54ef9d82d99f7c0
-
SHA1
7fd77e39fbf7ad6e8ade3e6592580a81a7373c54
-
SHA256
535f2b04a4086696d3fafb347cba4a40d6647a3c9c0b8b4690e966d789b5f45e
-
SHA512
f7ba6d6d7b45b3f335bdb787c2393f0fc22aea8b01317643b3b3d006801c4cfc1a40301aa71cee87a57b460ba70c12be603369b042081dcfb1539466c904e8d1
Malware Config
Signatures
-
Script User-Agent 1 IoCs
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3988 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2052 3988 cscript.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXEcscript.exedescription pid process target process PID 3988 wrote to memory of 2052 3988 EXCEL.EXE cscript.exe PID 3988 wrote to memory of 2052 3988 EXCEL.EXE cscript.exe PID 2052 wrote to memory of 4016 2052 cscript.exe 5znX0kpa.exe PID 2052 wrote to memory of 4016 2052 cscript.exe 5znX0kpa.exe PID 2052 wrote to memory of 4016 2052 cscript.exe 5znX0kpa.exe -
Executes dropped EXE 1 IoCs
Processes:
5znX0kpa.exepid process 4016 5znX0kpa.exe -
NTFS ADS 3 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\mm:Zone.Identifier EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\xx:Zone.Identifier EXCEL.EXE File created C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 14 2052 cscript.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3680 4016 WerFault.exe 5znX0kpa.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3680 WerFault.exe Token: SeBackupPrivilege 3680 WerFault.exe Token: SeDebugPrivilege 3680 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MV SPYRO AFEA VOY 156 PARTICULARS.xlsm"1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
-
C:\programdata\5znX0kpa.exeC:\programdata\5znX0kpa.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 9244⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\5znX0kpa.exe
-
C:\programdata\5znX0kpa.exe
-
C:\programdata\asc.txt:script1.vbs
-
memory/2052-3-0x0000000000000000-mapping.dmp
-
memory/3680-20-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/3680-8-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/3680-9-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/3680-19-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/4016-12-0x0000000000000000-mapping.dmp
-
memory/4016-13-0x0000000000000000-mapping.dmp
-
memory/4016-14-0x0000000000000000-mapping.dmp
-
memory/4016-15-0x0000000000000000-mapping.dmp
-
memory/4016-16-0x0000000000000000-mapping.dmp
-
memory/4016-17-0x0000000000000000-mapping.dmp
-
memory/4016-18-0x0000000000000000-mapping.dmp
-
memory/4016-11-0x0000000000000000-mapping.dmp
-
memory/4016-5-0x0000000000000000-mapping.dmp