Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
04-09-2020 05:25
Static task
static1
Behavioral task
behavioral1
Sample
KAAS GROUP CO LLC PROJECT - REQUIREMENTS QUANTITY.xlsx
Resource
win7v200722
Behavioral task
behavioral2
Sample
KAAS GROUP CO LLC PROJECT - REQUIREMENTS QUANTITY.xlsx
Resource
win10
General
-
Target
KAAS GROUP CO LLC PROJECT - REQUIREMENTS QUANTITY.xlsx
-
Size
727KB
-
MD5
8bb4b1de922189a0ead4d3d53f90dee2
-
SHA1
f9f8e5cce299de26c7c4597466283de3fca99052
-
SHA256
3b20874d61fc9dccaf568e149987fa2d6b856b91822237394e778dd4ef989620
-
SHA512
7daf835a914b78e5849e1ea82c9ae94df2a6b75e2aebabd6031bfb0b7db577bc4c5f7bc8c7f9f5be5fd37c71d252c643b19f0a167a190ed2be8b6e561677ff98
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 1041bb417b82d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2896 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 3856 svchost.exe Token: SeCreatePagefilePrivilege 3856 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\KAAS GROUP CO LLC PROJECT - REQUIREMENTS QUANTITY.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2896-0-0x00007FFBF6ED0000-0x00007FFBF7596000-memory.dmpFilesize
6.8MB