Analysis
-
max time kernel
126s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 15:38
Static task
static1
Behavioral task
behavioral1
Sample
phy__1__31629__2649094674__1605642612.exe
Resource
win7v20201028
General
-
Target
phy__1__31629__2649094674__1605642612.exe
-
Size
796KB
-
MD5
6bcfa9f7cff3724c68ab9d9a5a7cfa61
-
SHA1
56b9891386dd507afc6fa109feee6eb783abecb9
-
SHA256
664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479
-
SHA512
94eaf0cbd7eea9a6d412eb4ce6d88e83fcb33c50cf545d7a8aa281aca7ed074f34a91c8cdb03429ca11da6cf85bdd974f64f5cbc17246cc8c52e115f0960a776
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
phy__1__31629__2649094674__1605642612.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString phy__1__31629__2649094674__1605642612.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 phy__1__31629__2649094674__1605642612.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 1644 WINWORD.EXE 704 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
phy__1__31629__2649094674__1605642612.exepid process 1960 phy__1__31629__2649094674__1605642612.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 704 EXCEL.EXE 704 EXCEL.EXE 704 EXCEL.EXE 704 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe"C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CheckpointConvertTo.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/704-2-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/704-4-0x0000000004ED0000-0x0000000004ED4000-memory.dmpFilesize
16KB
-
memory/1644-1-0x00000000048C0000-0x00000000048C4000-memory.dmpFilesize
16KB
-
memory/1668-0-0x000007FEF5DB0000-0x000007FEF602A000-memory.dmpFilesize
2.5MB