Analysis

  • max time kernel
    71s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-03-2021 17:39

General

  • Target

    SpaceX Starbase Invite.xlsm

  • Size

    253KB

  • MD5

    5fd44b5a1abea3f880bfa3e32b0dda43

  • SHA1

    835621322f1ee6cb637c94d50efa7f704bd4b650

  • SHA256

    cf143b7f45179622dce93a753765349436506ac2b035c007b1699ba1490a31c9

  • SHA512

    b04e88dbde0aa441bd0d17871cd9c85e22b934bbefcb69a52d6016274d2fecfb69553b2c41610bdd470d91d0c8167c59d562814a398d1948056d4897a9cdcd08

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:892
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\29C89.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//6gxyf.dll ValidateLog
      2⤵
        PID:1664

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\29C89.xsl
      MD5

      582c07aed84e102e550fbca393750c83

      SHA1

      d45dd2789e9680995246c5b4ca0211ffdfa3a58e

      SHA256

      5d721d36f66a9102fc074f0cf9930e3237541b147ef706ec9491cd25d89734b8

      SHA512

      d1f5a419d036effaa74d8e0f49973b00ef788570c0b7d220316a1ec918c3c5a9c5ee2189502ae211718e23a694b1f639e840e408eaaafc20bf8a89a435a2cb30

    • C:\Windows\Temp\6gxyf.dll
      MD5

      20a18d76cd5eb64e116f5be06fa79639

      SHA1

      dfe3d840576cc4f857539b053dc514658cf3b9fb

      SHA256

      a6ad4d874891ce3823cf9b6506112a0431a421b197bfc6aa7527a07983ea9007

      SHA512

      d19296962639a64fb8074b1e069deb5c4229c9163061a3fdf3e5b3a9da039d599d9aa2b42b42e456e2b4ac6c9da6b6eb3e809b40b9cb4cf4a1f94b449080da2e

    • memory/892-2-0x000000002FDD1000-0x000000002FDD4000-memory.dmp
      Filesize

      12KB

    • memory/892-3-0x0000000071131000-0x0000000071133000-memory.dmp
      Filesize

      8KB

    • memory/892-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/892-5-0x0000000005D60000-0x0000000005D62000-memory.dmp
      Filesize

      8KB

    • memory/1188-7-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp
      Filesize

      2.5MB

    • memory/1664-8-0x0000000000000000-mapping.dmp