Overview

overview

10

Static

static

8

Report_18392.xls

windows7_x64

10

Report_18392.xls

windows10_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report_18392.xls

  • Size

    762KB

  • MD5

    0e453e483119e62e58471b9ee48a358b

  • SHA1

    8fb9f595b9474368f7acaf81d15437c0bbf5a578

  • SHA256

    122533a946908e660880b2030174008bbb0791e5c5ac92651b24ae0589e8fa3d

  • SHA512

    211c79149b10ba7fe4dd185c0decc0512cd74fc34ede6521a4599769909049fe6aae8630910c721c68c1e2724f3e63aff0e59f43655e3f0cb4037d0e183e2292

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 4 IoCs
  • JavaScript code in executable 5 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Report_18392.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1852
  • C:\Windows\system32\wbem\wmIc.exe
    wmIc
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//vzm14.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//vzm14.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\32D81.xsl
    MD5

    01549b78fde34e56cabf3a613d1ca543

    SHA1

    e00696b497f6039b3141d3c9e5838d7a884a25c1

    SHA256

    364d6357501ba92363bc9324f2f3e258cddc8e322af5e5676b1c90c58d812f00

    SHA512

    54e65eccb7e40abbe1682af66734b8fbd76c490fac587d2a29db4665180f909b1ebe3361f349c5b311fc708f4866688ee8aa6ef371afa12a3ab572d7f7aad760

    Download Submit
  • C:\Windows\Temp\vzm14.dll
    MD5

    40a10c7e37310c74ee61ed7daf237ea4

    SHA1

    e2c3b25423acbed50b72ff1143589f1f3eddb229

    SHA256

    c938cc25e27afb6c3ad8527f7d0f6d97295c638e381ad0a90cf4548427f89a2f

    SHA512

    b1ca48c85012e3f741452afcb7f0b3144eac1d404abfd1fac58e16f2fd42a4a409732b8ead6f55c145dd343881c2979f5d6301a3536f0183696969efcf34cb77

    Download Submit
  • \Windows\Temp\vzm14.dll
    MD5

    40a10c7e37310c74ee61ed7daf237ea4

    SHA1

    e2c3b25423acbed50b72ff1143589f1f3eddb229

    SHA256

    c938cc25e27afb6c3ad8527f7d0f6d97295c638e381ad0a90cf4548427f89a2f

    SHA512

    b1ca48c85012e3f741452afcb7f0b3144eac1d404abfd1fac58e16f2fd42a4a409732b8ead6f55c145dd343881c2979f5d6301a3536f0183696969efcf34cb77

    Download Submit
  • \Windows\Temp\vzm14.dll
    MD5

    40a10c7e37310c74ee61ed7daf237ea4

    SHA1

    e2c3b25423acbed50b72ff1143589f1f3eddb229

    SHA256

    c938cc25e27afb6c3ad8527f7d0f6d97295c638e381ad0a90cf4548427f89a2f

    SHA512

    b1ca48c85012e3f741452afcb7f0b3144eac1d404abfd1fac58e16f2fd42a4a409732b8ead6f55c145dd343881c2979f5d6301a3536f0183696969efcf34cb77

    Download Submit
  • \Windows\Temp\vzm14.dll
    MD5

    40a10c7e37310c74ee61ed7daf237ea4

    SHA1

    e2c3b25423acbed50b72ff1143589f1f3eddb229

    SHA256

    c938cc25e27afb6c3ad8527f7d0f6d97295c638e381ad0a90cf4548427f89a2f

    SHA512

    b1ca48c85012e3f741452afcb7f0b3144eac1d404abfd1fac58e16f2fd42a4a409732b8ead6f55c145dd343881c2979f5d6301a3536f0183696969efcf34cb77

    Download Submit
  • \Windows\Temp\vzm14.dll
    MD5

    40a10c7e37310c74ee61ed7daf237ea4

    SHA1

    e2c3b25423acbed50b72ff1143589f1f3eddb229

    SHA256

    c938cc25e27afb6c3ad8527f7d0f6d97295c638e381ad0a90cf4548427f89a2f

    SHA512

    b1ca48c85012e3f741452afcb7f0b3144eac1d404abfd1fac58e16f2fd42a4a409732b8ead6f55c145dd343881c2979f5d6301a3536f0183696969efcf34cb77

    Download Submit
  • memory/316-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1500-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1920-3-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp
    Filesize

    2.5MB

    Download