Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
Report_18392.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Report_18392.xls
Resource
win10v20201028
General
-
Target
Report_18392.xls
-
Size
762KB
-
MD5
0e453e483119e62e58471b9ee48a358b
-
SHA1
8fb9f595b9474368f7acaf81d15437c0bbf5a578
-
SHA256
122533a946908e660880b2030174008bbb0791e5c5ac92651b24ae0589e8fa3d
-
SHA512
211c79149b10ba7fe4dd185c0decc0512cd74fc34ede6521a4599769909049fe6aae8630910c721c68c1e2724f3e63aff0e59f43655e3f0cb4037d0e183e2292
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmIc.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 4212 wmIc.exe -
Blocklisted process makes network request 1 IoCs
Processes:
wmIc.exeflow pid process 30 3164 wmIc.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 760 rundll32.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Windows\Temp\2g2pc.dll js \Windows\Temp\2g2pc.dll js -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 812 760 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4652 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmIc.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 3164 wmIc.exe Token: SeSecurityPrivilege 3164 wmIc.exe Token: SeTakeOwnershipPrivilege 3164 wmIc.exe Token: SeLoadDriverPrivilege 3164 wmIc.exe Token: SeSystemProfilePrivilege 3164 wmIc.exe Token: SeSystemtimePrivilege 3164 wmIc.exe Token: SeProfSingleProcessPrivilege 3164 wmIc.exe Token: SeIncBasePriorityPrivilege 3164 wmIc.exe Token: SeCreatePagefilePrivilege 3164 wmIc.exe Token: SeBackupPrivilege 3164 wmIc.exe Token: SeRestorePrivilege 3164 wmIc.exe Token: SeShutdownPrivilege 3164 wmIc.exe Token: SeDebugPrivilege 3164 wmIc.exe Token: SeSystemEnvironmentPrivilege 3164 wmIc.exe Token: SeRemoteShutdownPrivilege 3164 wmIc.exe Token: SeUndockPrivilege 3164 wmIc.exe Token: SeManageVolumePrivilege 3164 wmIc.exe Token: 33 3164 wmIc.exe Token: 34 3164 wmIc.exe Token: 35 3164 wmIc.exe Token: 36 3164 wmIc.exe Token: SeIncreaseQuotaPrivilege 3164 wmIc.exe Token: SeSecurityPrivilege 3164 wmIc.exe Token: SeTakeOwnershipPrivilege 3164 wmIc.exe Token: SeLoadDriverPrivilege 3164 wmIc.exe Token: SeSystemProfilePrivilege 3164 wmIc.exe Token: SeSystemtimePrivilege 3164 wmIc.exe Token: SeProfSingleProcessPrivilege 3164 wmIc.exe Token: SeIncBasePriorityPrivilege 3164 wmIc.exe Token: SeCreatePagefilePrivilege 3164 wmIc.exe Token: SeBackupPrivilege 3164 wmIc.exe Token: SeRestorePrivilege 3164 wmIc.exe Token: SeShutdownPrivilege 3164 wmIc.exe Token: SeDebugPrivilege 3164 wmIc.exe Token: SeSystemEnvironmentPrivilege 3164 wmIc.exe Token: SeRemoteShutdownPrivilege 3164 wmIc.exe Token: SeUndockPrivilege 3164 wmIc.exe Token: SeManageVolumePrivilege 3164 wmIc.exe Token: 33 3164 wmIc.exe Token: 34 3164 wmIc.exe Token: 35 3164 wmIc.exe Token: 36 3164 wmIc.exe Token: SeRestorePrivilege 812 WerFault.exe Token: SeBackupPrivilege 812 WerFault.exe Token: SeDebugPrivilege 812 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE 4652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmIc.exerundll32.exedescription pid process target process PID 3164 wrote to memory of 584 3164 wmIc.exe rundll32.exe PID 3164 wrote to memory of 584 3164 wmIc.exe rundll32.exe PID 584 wrote to memory of 760 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 760 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 760 584 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Report_18392.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmIc.exewmIc1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//2g2pc.dll InitHelperDll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//2g2pc.dll InitHelperDll3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 764⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\32D81.xslMD5
01549b78fde34e56cabf3a613d1ca543
SHA1e00696b497f6039b3141d3c9e5838d7a884a25c1
SHA256364d6357501ba92363bc9324f2f3e258cddc8e322af5e5676b1c90c58d812f00
SHA51254e65eccb7e40abbe1682af66734b8fbd76c490fac587d2a29db4665180f909b1ebe3361f349c5b311fc708f4866688ee8aa6ef371afa12a3ab572d7f7aad760
-
C:\Windows\Temp\2g2pc.dllMD5
6bcd46989c419891ad0a8e1a6bae5d44
SHA188b5b6adbcf2d37f78d044fbd129f91f7193c1b1
SHA25686a2a9cf28ba6424deea04cb0e3305a76f68380281fcbc4efdad58a4d3410bf1
SHA5128eeb6263227609896219309deaaa8170c9f8a837469a41c6fb8a6534b035bf04280e5f5a8b33754e912aac80ff3bf4a05daaa43f2f4db1e82825b518961da0a0
-
\Windows\Temp\2g2pc.dllMD5
6bcd46989c419891ad0a8e1a6bae5d44
SHA188b5b6adbcf2d37f78d044fbd129f91f7193c1b1
SHA25686a2a9cf28ba6424deea04cb0e3305a76f68380281fcbc4efdad58a4d3410bf1
SHA5128eeb6263227609896219309deaaa8170c9f8a837469a41c6fb8a6534b035bf04280e5f5a8b33754e912aac80ff3bf4a05daaa43f2f4db1e82825b518961da0a0
-
memory/584-4-0x0000000000000000-mapping.dmp
-
memory/760-6-0x0000000000000000-mapping.dmp
-
memory/812-8-0x0000000003FF0000-0x0000000003FF1000-memory.dmpFilesize
4KB
-
memory/4652-2-0x00007FFBDFF70000-0x00007FFBE05A7000-memory.dmpFilesize
6.2MB