Analysis

  • max time kernel
    139s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-03-2021 06:10

General

  • Target

    SpaceX Starbase Invite.xlsm

  • Size

    240KB

  • MD5

    c203a4725a47fe34b5811a122d45733e

  • SHA1

    6c39c1922d4f2c5b50d8431ec1b61e73b7d2731f

  • SHA256

    99bd5914039d840274690ce7223d6504d72724a3eb55dd4dfce6de855b989174

  • SHA512

    28b619c7ff7fd25f01a5231930c9913498c9e47056683cf98464fd48b938782c48e64f26f35401573031319da3d9f20543a61774c86710a5e3449b88063175f3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:580
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\5371.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ies6j.dll ValidateLog
      2⤵
        PID:472

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\5371.xsl
      MD5

      b67c73bf9faa4f624ccf10c32df010c9

      SHA1

      aec7da5f660bdc8eddcd5bc7df37b130b165c66a

      SHA256

      0b22a69f60a8a4ae0f891f08c6c313ea9892c223d574f7002a34781d9b69666e

      SHA512

      b4fe6c758621dbe9ea8e0536dc86bca85e2c7707b510cf242be738f605f05f8d90d59a8d9a15857b8f1daf69438a4285705e48266731944fd588027b56f64119

    • C:\Windows\Temp\ies6j.dll
      MD5

      d3683d12c3244df6134c069aefffbef3

      SHA1

      9cbfb9fa792513bd242857556d5970c9b5c45775

      SHA256

      1dd03784fbed4ca11f843771dfe7059c32100fc2506454768ceec1ffba870ec6

      SHA512

      441e307751fe3cdc556266d00cecec08afa3e398e91d5a3c21ad4c553a6154354ccd404e6cd04bac4b96bc56517e26a3ad2eaeaf78c8ca9974000c89e9007665

    • memory/472-9-0x0000000000000000-mapping.dmp
    • memory/580-2-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp
      Filesize

      64KB

    • memory/580-3-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp
      Filesize

      64KB

    • memory/580-4-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp
      Filesize

      64KB

    • memory/580-5-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp
      Filesize

      64KB

    • memory/580-6-0x00007FFE99BC0000-0x00007FFE9A1F7000-memory.dmp
      Filesize

      6.2MB

    • memory/580-7-0x00000251A97F0000-0x00000251A97F4000-memory.dmp
      Filesize

      16KB