Overview

overview

10

Static

static

8

Report_18392.xls

windows7_x64

10

Report_18392.xls

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report_18392.xls

  • Size

    762KB

  • MD5

    0e453e483119e62e58471b9ee48a358b

  • SHA1

    8fb9f595b9474368f7acaf81d15437c0bbf5a578

  • SHA256

    122533a946908e660880b2030174008bbb0791e5c5ac92651b24ae0589e8fa3d

  • SHA512

    211c79149b10ba7fe4dd185c0decc0512cd74fc34ede6521a4599769909049fe6aae8630910c721c68c1e2724f3e63aff0e59f43655e3f0cb4037d0e183e2292

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • JavaScript code in executable 2 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Report_18392.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4652
  • C:\Windows\system32\wbem\wmIc.exe
    wmIc
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//2g2pc.dll InitHelperDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//2g2pc.dll InitHelperDll
        3⤵
        • Loads dropped DLL
        PID:760
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 76
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\32D81.xsl
    MD5

    01549b78fde34e56cabf3a613d1ca543

    SHA1

    e00696b497f6039b3141d3c9e5838d7a884a25c1

    SHA256

    364d6357501ba92363bc9324f2f3e258cddc8e322af5e5676b1c90c58d812f00

    SHA512

    54e65eccb7e40abbe1682af66734b8fbd76c490fac587d2a29db4665180f909b1ebe3361f349c5b311fc708f4866688ee8aa6ef371afa12a3ab572d7f7aad760

    Download Submit
  • C:\Windows\Temp\2g2pc.dll
    MD5

    6bcd46989c419891ad0a8e1a6bae5d44

    SHA1

    88b5b6adbcf2d37f78d044fbd129f91f7193c1b1

    SHA256

    86a2a9cf28ba6424deea04cb0e3305a76f68380281fcbc4efdad58a4d3410bf1

    SHA512

    8eeb6263227609896219309deaaa8170c9f8a837469a41c6fb8a6534b035bf04280e5f5a8b33754e912aac80ff3bf4a05daaa43f2f4db1e82825b518961da0a0

    Download Submit
  • \Windows\Temp\2g2pc.dll
    MD5

    6bcd46989c419891ad0a8e1a6bae5d44

    SHA1

    88b5b6adbcf2d37f78d044fbd129f91f7193c1b1

    SHA256

    86a2a9cf28ba6424deea04cb0e3305a76f68380281fcbc4efdad58a4d3410bf1

    SHA512

    8eeb6263227609896219309deaaa8170c9f8a837469a41c6fb8a6534b035bf04280e5f5a8b33754e912aac80ff3bf4a05daaa43f2f4db1e82825b518961da0a0

    Download Submit
  • memory/584-4-0x0000000000000000-mapping.dmp
    Download
  • memory/760-6-0x0000000000000000-mapping.dmp
    Download
  • memory/812-8-0x0000000003FF0000-0x0000000003FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4652-2-0x00007FFBDFF70000-0x00007FFBE05A7000-memory.dmp
    Filesize

    6.2MB

    Download