Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-03-2021 06:10

General

  • Target

    SpaceX Starbase Invite.xlsm

  • Size

    240KB

  • MD5

    c203a4725a47fe34b5811a122d45733e

  • SHA1

    6c39c1922d4f2c5b50d8431ec1b61e73b7d2731f

  • SHA256

    99bd5914039d840274690ce7223d6504d72724a3eb55dd4dfce6de855b989174

  • SHA512

    28b619c7ff7fd25f01a5231930c9913498c9e47056683cf98464fd48b938782c48e64f26f35401573031319da3d9f20543a61774c86710a5e3449b88063175f3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:740
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\5371.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//1gfhd.dll ValidateLog
      2⤵
        PID:1528

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\5371.xsl
      MD5

      b67c73bf9faa4f624ccf10c32df010c9

      SHA1

      aec7da5f660bdc8eddcd5bc7df37b130b165c66a

      SHA256

      0b22a69f60a8a4ae0f891f08c6c313ea9892c223d574f7002a34781d9b69666e

      SHA512

      b4fe6c758621dbe9ea8e0536dc86bca85e2c7707b510cf242be738f605f05f8d90d59a8d9a15857b8f1daf69438a4285705e48266731944fd588027b56f64119

    • C:\Windows\Temp\1gfhd.dll
      MD5

      9dd62e366b9b97c6a47f890d040dd194

      SHA1

      664cf08363e8d8f62b11fcad1c1175557cd1171f

      SHA256

      6717531c94a258557f15e2d71305ca9af8c2fd52d0849e0378ed94ea995c45a2

      SHA512

      03b88696b5ec3fc373e5d78b31cd6b8feabe8b335d9862296f825631be3adacba1566be82f1bccbc0bde507b2835142db36be6b0e6eb1ab56f52f07cf741f2a7

    • memory/740-2-0x000000002FFD1000-0x000000002FFD4000-memory.dmp
      Filesize

      12KB

    • memory/740-3-0x0000000071441000-0x0000000071443000-memory.dmp
      Filesize

      8KB

    • memory/740-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/740-5-0x0000000005AF0000-0x0000000005AF2000-memory.dmp
      Filesize

      8KB

    • memory/1528-8-0x0000000000000000-mapping.dmp
    • memory/1552-7-0x000007FEF7590000-0x000007FEF780A000-memory.dmp
      Filesize

      2.5MB