Resubmissions
18-12-2020 16:31
201218-rf4f27wdbs 814-12-2020 11:33
201214-1gy4fl2smn 812-12-2020 16:18
201212-45avfhl4rx 1011-12-2020 11:08
201211-d57rtvtlna 1011-12-2020 10:19
201211-zh128fnl2n 10Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 10:19
Static task
static1
Behavioral task
behavioral1
Sample
Document931215825.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document931215825.xls
Resource
win10v20201028
General
-
Target
Document931215825.xls
-
Size
53KB
-
MD5
ef687c6dd0731d96d622ac024974a35b
-
SHA1
907be2046fd958898fa14be35f567cbb30e5e8bb
-
SHA256
829419a788104ec45e82487738be2779a83cac1b65bfc9343e351e75cfa49f5e
-
SHA512
64c3ff8bcab43efaa971816463a620f02f760c84c60daa96d1937046b746156ab8f8461d6c68051e198e156b24133831fc663779c4f389f92ef146b6eb6a3fc5
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2336 540 rundll32.exe EXCEL.EXE -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2340 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 wtfismyip.com -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\explorer.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 540 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2756 wermgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 540 wrote to memory of 2336 540 EXCEL.EXE rundll32.exe PID 540 wrote to memory of 2336 540 EXCEL.EXE rundll32.exe PID 2336 wrote to memory of 2340 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 2340 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 2340 2336 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2756 2340 rundll32.exe wermgr.exe PID 2340 wrote to memory of 2756 2340 rundll32.exe wermgr.exe PID 2340 wrote to memory of 2756 2340 rundll32.exe wermgr.exe PID 2340 wrote to memory of 2756 2340 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document931215825.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
83a8d8060b6a7b78bf3c4f6628e699a5
SHA113a260eac7c42c54fd292ca517f795e368705bfc
SHA2564c393143111c5013b00e43d608305e03076c24a9bcfc051e70de597814f69038
SHA51260d84dc3e3d8fd383fae29b296371f45822e5a91d85d8782cb7010f265d42f4c0e16f22601d21d63a85f7f631d44c892fc1cf656cb7cd024760b90e6eaebf24f
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
83a8d8060b6a7b78bf3c4f6628e699a5
SHA113a260eac7c42c54fd292ca517f795e368705bfc
SHA2564c393143111c5013b00e43d608305e03076c24a9bcfc051e70de597814f69038
SHA51260d84dc3e3d8fd383fae29b296371f45822e5a91d85d8782cb7010f265d42f4c0e16f22601d21d63a85f7f631d44c892fc1cf656cb7cd024760b90e6eaebf24f
-
memory/540-2-0x00007FF9A71F0000-0x00007FF9A7827000-memory.dmpFilesize
6.2MB
-
memory/2336-5-0x0000000000000000-mapping.dmp
-
memory/2340-7-0x0000000000000000-mapping.dmp
-
memory/2340-9-0x0000000000610000-0x0000000000649000-memory.dmpFilesize
228KB
-
memory/2340-10-0x0000000010000000-0x0000000010038000-memory.dmpFilesize
224KB
-
memory/2756-11-0x0000000000000000-mapping.dmp