Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 19:10
Static task
static1
Behavioral task
behavioral1
Sample
d3127b922e70794c42034aaf238cb358.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d3127b922e70794c42034aaf238cb358.xlsm
Resource
win10v20201028
General
-
Target
d3127b922e70794c42034aaf238cb358.xlsm
-
Size
359KB
-
MD5
d3127b922e70794c42034aaf238cb358
-
SHA1
0ab11895b528eeabf2e544567f0f467d27b7a1fb
-
SHA256
8bac502d02aebef57de2e4b324a71cb0d843c7cc1c66082ab37405e83afa6993
-
SHA512
860afda64d73a9761faaeb096cdb8294c93121e4b3c85bbae9e3c66f650234a9721c6801afd11af02b376936d3b6ad32ee20b7ce526ce54ded97e358b9a15284
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 3460 wmic.exe -
Blocklisted process makes network request 3 IoCs
Processes:
wmic.exeflow pid process 32 3964 wmic.exe 34 3964 wmic.exe 36 3964 wmic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 652 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3964 wmic.exe Token: SeSecurityPrivilege 3964 wmic.exe Token: SeTakeOwnershipPrivilege 3964 wmic.exe Token: SeLoadDriverPrivilege 3964 wmic.exe Token: SeSystemProfilePrivilege 3964 wmic.exe Token: SeSystemtimePrivilege 3964 wmic.exe Token: SeProfSingleProcessPrivilege 3964 wmic.exe Token: SeIncBasePriorityPrivilege 3964 wmic.exe Token: SeCreatePagefilePrivilege 3964 wmic.exe Token: SeBackupPrivilege 3964 wmic.exe Token: SeRestorePrivilege 3964 wmic.exe Token: SeShutdownPrivilege 3964 wmic.exe Token: SeDebugPrivilege 3964 wmic.exe Token: SeSystemEnvironmentPrivilege 3964 wmic.exe Token: SeRemoteShutdownPrivilege 3964 wmic.exe Token: SeUndockPrivilege 3964 wmic.exe Token: SeManageVolumePrivilege 3964 wmic.exe Token: 33 3964 wmic.exe Token: 34 3964 wmic.exe Token: 35 3964 wmic.exe Token: 36 3964 wmic.exe Token: SeIncreaseQuotaPrivilege 3964 wmic.exe Token: SeSecurityPrivilege 3964 wmic.exe Token: SeTakeOwnershipPrivilege 3964 wmic.exe Token: SeLoadDriverPrivilege 3964 wmic.exe Token: SeSystemProfilePrivilege 3964 wmic.exe Token: SeSystemtimePrivilege 3964 wmic.exe Token: SeProfSingleProcessPrivilege 3964 wmic.exe Token: SeIncBasePriorityPrivilege 3964 wmic.exe Token: SeCreatePagefilePrivilege 3964 wmic.exe Token: SeBackupPrivilege 3964 wmic.exe Token: SeRestorePrivilege 3964 wmic.exe Token: SeShutdownPrivilege 3964 wmic.exe Token: SeDebugPrivilege 3964 wmic.exe Token: SeSystemEnvironmentPrivilege 3964 wmic.exe Token: SeRemoteShutdownPrivilege 3964 wmic.exe Token: SeUndockPrivilege 3964 wmic.exe Token: SeManageVolumePrivilege 3964 wmic.exe Token: 33 3964 wmic.exe Token: 34 3964 wmic.exe Token: 35 3964 wmic.exe Token: 36 3964 wmic.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE 652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wmic.exedescription pid process target process PID 3964 wrote to memory of 3164 3964 wmic.exe rundll32.exe PID 3964 wrote to memory of 3164 3964 wmic.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d3127b922e70794c42034aaf238cb358.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:652
-
C:\Windows\system32\wbem\wmic.exewmic os get /format:"C:\Users\Admin\AppData\Roaming\357BF.xsl"1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//bd2oj.dll RunXml2⤵PID:3164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\357BF.xslMD5
7d698fe6441ba051b9445fb35c6296c7
SHA1e7c940533df3415b17416701d2da27602843fd84
SHA2564c2ef808ef4bfd79dcc35a89c3f8eb1743a9e94b80e4372da72bdce4bc712934
SHA5122dcf1f94e68669f8ac91bd3a66bcd11332b9722a22d8f0c5e8daf37c35da7d6e817c8f09504992b73624d1f63660f956798c067fff922a987ded7439f9ba54d2
-
C:\Windows\Temp\bd2oj.dllMD5
7b73f442b523b7d8da25a1bfd365fea3
SHA1e4e2d9b6219b8b2c2f682afbd6feab83bf8401a0
SHA256ab20a5ee4c252e0326509dca7baf29819fdff75145487d5cadf4046ae2a91a28
SHA512b07a285a24a76e34e348d4a6a099f005441f780b7585853311c04698ee1528a17f2237720a441dc9f5051b9e595e75fd1c9b83f77714c3cbfbc51943f1f180ec
-
memory/652-2-0x00007FFC10600000-0x00007FFC10610000-memory.dmpFilesize
64KB
-
memory/652-3-0x00007FFC10600000-0x00007FFC10610000-memory.dmpFilesize
64KB
-
memory/652-4-0x00007FFC10600000-0x00007FFC10610000-memory.dmpFilesize
64KB
-
memory/652-5-0x00007FFC10600000-0x00007FFC10610000-memory.dmpFilesize
64KB
-
memory/652-6-0x00007FFC336D0000-0x00007FFC33D07000-memory.dmpFilesize
6.2MB
-
memory/652-7-0x000001EAA8880000-0x000001EAA8884000-memory.dmpFilesize
16KB
-
memory/3164-9-0x0000000000000000-mapping.dmp