Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 10:35
Static task
static1
Behavioral task
behavioral1
Sample
scan 0003.xlsm
Resource
win7v200722
Behavioral task
behavioral2
Sample
scan 0003.xlsm
Resource
win10v200722
General
-
Target
scan 0003.xlsm
-
Size
78KB
-
MD5
74e2a78248c6f0a949f2bcd86d0315c8
-
SHA1
7209cc8af3c1704cd35aa5f9650335e50eba09ef
-
SHA256
5f1546c28e06698400fdb0c307bc82e4ab74ecac4913cbd106648f17a81e02ff
-
SHA512
99b74585e48d7f790ebdc512262307e955a7b71f1c283ba670b831138bb37a03a77936668d7adc7460f065bd364eecdd16dc6d8464cf09a6f2675a108b1461e6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
zhkwhljhg.exepid process 2752 zhkwhljhg.exe -
ServiceHost packer 7 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/2752-10-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-11-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-12-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-13-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-14-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-15-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-16-0x0000000000000000-mapping.dmp servicehost -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1568 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1568 wrote to memory of 2752 1568 EXCEL.EXE zhkwhljhg.exe PID 1568 wrote to memory of 2752 1568 EXCEL.EXE zhkwhljhg.exe PID 1568 wrote to memory of 2752 1568 EXCEL.EXE zhkwhljhg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3792 2752 WerFault.exe zhkwhljhg.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3792 WerFault.exe Token: SeBackupPrivilege 3792 WerFault.exe Token: SeDebugPrivilege 3792 WerFault.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan 0003.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\zhkwhljhg.exe"C:\Users\Public\zhkwhljhg.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 11483⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\zhkwhljhg.exe
-
C:\Users\Public\zhkwhljhg.exe
-
memory/2752-14-0x0000000000000000-mapping.dmp
-
memory/2752-10-0x0000000000000000-mapping.dmp
-
memory/2752-11-0x0000000000000000-mapping.dmp
-
memory/2752-12-0x0000000000000000-mapping.dmp
-
memory/2752-13-0x0000000000000000-mapping.dmp
-
memory/2752-4-0x0000000000000000-mapping.dmp
-
memory/2752-15-0x0000000000000000-mapping.dmp
-
memory/2752-16-0x0000000000000000-mapping.dmp
-
memory/3792-7-0x00000000045B0000-0x00000000045B1000-memory.dmpFilesize
4KB
-
memory/3792-8-0x00000000045B0000-0x00000000045B1000-memory.dmpFilesize
4KB
-
memory/3792-17-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB