Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 10:23
Static task
static1
Behavioral task
behavioral1
Sample
bin 1.xls
Resource
win7v200722
General
-
Target
bin 1.xls
-
Size
183KB
-
MD5
ad085c2d0b11bd6268b5cf5e1f86c6d2
-
SHA1
20aa89a8d2cb83226065e4ecf97799409f9fd2ae
-
SHA256
8d9a34f51bcef521b4dad284038743c1cce9b9481d558225e33add85c4c9173b
-
SHA512
3ff47f33dc1fb6d9e9197c345153febe4388923ac7e27e87e3ea97d2bf7dde7dd62fcc02f2768fabd6ac4764bf48df0f0b6388719167b8b9ba1b350e16e44b12
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
svchost32.exemsdt.exepid process 3636 svchost32.exe 3636 svchost32.exe 3636 svchost32.exe 3636 svchost32.exe 3636 svchost32.exe 3636 svchost32.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
svchost32.exemsdt.exepid process 3636 svchost32.exe 3636 svchost32.exe 3636 svchost32.exe 3636 svchost32.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe 2948 msdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
svchost32.exemsdt.exedescription pid process target process PID 3636 set thread context of 3024 3636 svchost32.exe Explorer.EXE PID 3636 set thread context of 3024 3636 svchost32.exe Explorer.EXE PID 2948 set thread context of 3024 2948 msdt.exe Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
svchost32.exepid process 3636 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
svchost32.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3636 svchost32.exe Token: SeDebugPrivilege 2948 msdt.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE -
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2948-10-0x0000000000000000-mapping.dmp formbook -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE 1928 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1928 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEExplorer.EXEmsdt.exedescription pid process target process PID 1928 wrote to memory of 3636 1928 EXCEL.EXE svchost32.exe PID 1928 wrote to memory of 3636 1928 EXCEL.EXE svchost32.exe PID 1928 wrote to memory of 3636 1928 EXCEL.EXE svchost32.exe PID 3024 wrote to memory of 2948 3024 Explorer.EXE msdt.exe PID 3024 wrote to memory of 2948 3024 Explorer.EXE msdt.exe PID 3024 wrote to memory of 2948 3024 Explorer.EXE msdt.exe PID 2948 wrote to memory of 3980 2948 msdt.exe cmd.exe PID 2948 wrote to memory of 3980 2948 msdt.exe cmd.exe PID 2948 wrote to memory of 3980 2948 msdt.exe cmd.exe PID 2948 wrote to memory of 1880 2948 msdt.exe Firefox.exe PID 2948 wrote to memory of 1880 2948 msdt.exe Firefox.exe PID 2948 wrote to memory of 1880 2948 msdt.exe Firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bin 1.xls"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logim.jpeg
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logrf.ini
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logrg.ini
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logri.ini
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logrv.ini
-
C:\Users\Public\svchost32.exe
-
C:\Users\Public\svchost32.exe
-
memory/1880-22-0x00007FF6C4A30000-0x00007FF6C4AC3000-memory.dmpFilesize
588KB
-
memory/1880-21-0x00007FF6C4A30000-0x00007FF6C4AC3000-memory.dmpFilesize
588KB
-
memory/1880-20-0x00007FF6C4A30000-0x00007FF6C4AC3000-memory.dmpFilesize
588KB
-
memory/1880-19-0x0000000000000000-mapping.dmp
-
memory/1928-5-0x000001B6A0B40000-0x000001B6A0B7E000-memory.dmpFilesize
248KB
-
memory/1928-0-0x000001B6A07B4000-0x000001B6A07B9000-memory.dmpFilesize
20KB
-
memory/1928-4-0x000001B6A0B40000-0x000001B6A0B7E000-memory.dmpFilesize
248KB
-
memory/1928-3-0x000001B6A0B40000-0x000001B6A0B7E000-memory.dmpFilesize
248KB
-
memory/1928-2-0x000001B6A0B40000-0x000001B6A0B7E000-memory.dmpFilesize
248KB
-
memory/1928-1-0x000001B6A0B40000-0x000001B6A0B7E000-memory.dmpFilesize
248KB
-
memory/2948-12-0x0000000000ED0000-0x0000000001043000-memory.dmpFilesize
1.4MB
-
memory/2948-16-0x00000000057E0000-0x000000000588A000-memory.dmpFilesize
680KB
-
memory/2948-11-0x0000000000ED0000-0x0000000001043000-memory.dmpFilesize
1.4MB
-
memory/2948-10-0x0000000000000000-mapping.dmp
-
memory/3024-17-0x0000000006D40000-0x0000000006E5E000-memory.dmpFilesize
1.1MB
-
memory/3636-6-0x0000000000000000-mapping.dmp
-
memory/3980-14-0x0000000000000000-mapping.dmp