Resubmissions
18-12-2020 16:31
201218-rf4f27wdbs 814-12-2020 11:33
201214-1gy4fl2smn 812-12-2020 16:18
201212-45avfhl4rx 1011-12-2020 11:08
201211-d57rtvtlna 1011-12-2020 10:19
201211-zh128fnl2n 10Analysis
-
max time kernel
300s -
max time network
289s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 11:08
Static task
static1
Behavioral task
behavioral1
Sample
Document931215825.xls
Resource
win10v20201028
General
-
Target
Document931215825.xls
-
Size
53KB
-
MD5
ef687c6dd0731d96d622ac024974a35b
-
SHA1
907be2046fd958898fa14be35f567cbb30e5e8bb
-
SHA256
829419a788104ec45e82487738be2779a83cac1b65bfc9343e351e75cfa49f5e
-
SHA512
64c3ff8bcab43efaa971816463a620f02f760c84c60daa96d1937046b746156ab8f8461d6c68051e198e156b24133831fc663779c4f389f92ef146b6eb6a3fc5
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3784 1144 rundll32.exe EXCEL.EXE -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1584 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\explorer.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1144 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3264 wermgr.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
EXCEL.EXEpid process 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 1144 wrote to memory of 3784 1144 EXCEL.EXE rundll32.exe PID 1144 wrote to memory of 3784 1144 EXCEL.EXE rundll32.exe PID 3784 wrote to memory of 1584 3784 rundll32.exe rundll32.exe PID 3784 wrote to memory of 1584 3784 rundll32.exe rundll32.exe PID 3784 wrote to memory of 1584 3784 rundll32.exe rundll32.exe PID 1584 wrote to memory of 3264 1584 rundll32.exe wermgr.exe PID 1584 wrote to memory of 3264 1584 rundll32.exe wermgr.exe PID 1584 wrote to memory of 3264 1584 rundll32.exe wermgr.exe PID 1584 wrote to memory of 3264 1584 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document931215825.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
83a8d8060b6a7b78bf3c4f6628e699a5
SHA113a260eac7c42c54fd292ca517f795e368705bfc
SHA2564c393143111c5013b00e43d608305e03076c24a9bcfc051e70de597814f69038
SHA51260d84dc3e3d8fd383fae29b296371f45822e5a91d85d8782cb7010f265d42f4c0e16f22601d21d63a85f7f631d44c892fc1cf656cb7cd024760b90e6eaebf24f
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
83a8d8060b6a7b78bf3c4f6628e699a5
SHA113a260eac7c42c54fd292ca517f795e368705bfc
SHA2564c393143111c5013b00e43d608305e03076c24a9bcfc051e70de597814f69038
SHA51260d84dc3e3d8fd383fae29b296371f45822e5a91d85d8782cb7010f265d42f4c0e16f22601d21d63a85f7f631d44c892fc1cf656cb7cd024760b90e6eaebf24f
-
memory/1144-2-0x00007FFB55EE0000-0x00007FFB56517000-memory.dmpFilesize
6.2MB
-
memory/1144-3-0x000002AD431E8000-0x000002AD431EB000-memory.dmpFilesize
12KB
-
memory/1584-8-0x0000000000000000-mapping.dmp
-
memory/1584-10-0x0000000002BF0000-0x0000000002C29000-memory.dmpFilesize
228KB
-
memory/1584-11-0x0000000010000000-0x0000000010038000-memory.dmpFilesize
224KB
-
memory/3264-12-0x0000000000000000-mapping.dmp
-
memory/3784-6-0x0000000000000000-mapping.dmp