Analysis
-
max time kernel
142s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-01-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
Revised-RBG-180129940.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Revised-RBG-180129940.xlsx
Resource
win10v20201028
General
-
Target
Revised-RBG-180129940.xlsx
-
Size
402KB
-
MD5
9a21b20bf0f722b2cd46058cbfad5571
-
SHA1
f359c45f331d5b159a1ae6ef80135f937bf32856
-
SHA256
7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753
-
SHA512
8f350b572b864c5a2a96ad8306266e1cc6dfb7c3d81d18894dfdddda099a9d21a97b3aabaee41769693e862158f5282bc873d2f0e9bcfdea3be62a0b4e116328
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4000 EXCEL.EXE 1288 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1288 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4000 EXCEL.EXE 4000 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 1288 WINWORD.EXE 1288 WINWORD.EXE 1288 WINWORD.EXE 1288 WINWORD.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1288 wrote to memory of 1564 1288 WINWORD.EXE splwow64.exe PID 1288 wrote to memory of 1564 1288 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Revised-RBG-180129940.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
913295ae276ac3b81a7be9fd9bfb6afa
SHA19bd14d91c6cc4038d0232c987d2290ee92712ba2
SHA25671d9343548e2b881bce4a4f620c05c3812a41fb0a0b986f2f0501a87e8d6902d
SHA51294005bc5fe89f8e84b7d3a1c7552f1f8393945c4b6ecb2596b9de12cbaacc159febebd5d640d9f3ce0487a3f6929a26547eb7a9921350edf15efa05da4159138
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
6999b645b02cffb969d479289317d44c
SHA1ec477d1054ed63d8c8c8650328e6f85890522258
SHA2564a95336f31c461cb4b4ff21496efaadc89d87d1e263a806b7432ed352f2b03d0
SHA512b869d46434afb47cb7c6833bf10bfd6b95d031dbe7f90580ca60e675e4fad31531ec4b43adb80687188eab29ccb0d0253c9b90822600b7f6388480da7b2292e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\document_v4120012[1].docMD5
446988fed3c06a2a0195479fccbed955
SHA13650070fada6121e813e3635b3734d9e80f43653
SHA2564329673b6bb9797151a7eab278f0b82466d73303149f2e9ab797a95d04a982bd
SHA512f00dd3d683087321ac0d200fa995a51b8c65109e5c1786b2a7f47b34b69b64d257ceca6b4a380ea6165f7268bc673e8d6861c992e47dda9cbf1c18c251714ab2
-
memory/1288-10-0x00007FFCBFC70000-0x00007FFCC02A7000-memory.dmpFilesize
6.2MB
-
memory/1564-13-0x0000000000000000-mapping.dmp
-
memory/1564-14-0x0000000002890000-0x0000000002991000-memory.dmpFilesize
1.0MB
-
memory/4000-2-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-3-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-4-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-5-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-6-0x00007FFCBFC70000-0x00007FFCC02A7000-memory.dmpFilesize
6.2MB