Analysis

  • max time kernel
    69s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-03-2021 03:36

General

  • Target

    SecuriteInfo.com.VB.Heur2.EmoDldr.16.17436866.Gen.19501.16600.xlsm

  • Size

    254KB

  • MD5

    389b02e6843fe288c18f784be63df9c1

  • SHA1

    2d86d4f667515c092984fd02ce99d20aac3608c5

  • SHA256

    21bf810cf015e8ffec9b844632a94274d9d387ad528e7d75adf116acea5a4d4b

  • SHA512

    4063a50788eb5f896c9d68fbcdf3f621d1c63b3a091c5d67699c2926499f1fd7a7b0dfee76c2a15cc907230c9cf64c859ab96e5b3885f33e9f42d544905fd764

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.16.17436866.Gen.19501.16600.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:292
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\333FC.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:284
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//5ir9h.dll ValidateLog
      2⤵
        PID:1184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\333FC.xsl
      MD5

      7c1761fd4a2a5addc3ed8cd08ceb249c

      SHA1

      6d8148cc3ad46e0f3ca55914bac32e7d87b04987

      SHA256

      0f3767b58eff56ec41893843466eb3fcef36ac834b02bcb3fea1646f4e98b55e

      SHA512

      dcaea5ca1f512e2edd74363ef9bed840697c810f818b71f6a406b1f6d8f50d70c477556ba83f4056cec3d52385d77548951da98ae072db89e310712d3f4963d8

    • C:\Windows\Temp\5ir9h.dll
      MD5

      835ef92688c8c1af0eadd5c9d3f4a7a4

      SHA1

      2270b1f4e4c6728f1042d17ac941c3556ea76781

      SHA256

      bc52b0076d73047ba568fd02e62a0e455f0b17b0a374ca2fd8add5379b910a9f

      SHA512

      858573b13357e7ae62ed36e0339335e2455f37d0469ad38f0278f17a9b95bc9001ac3fc72c4cae768901f8b9eb1c8bc40c38e79af266f2a0f825e3ce59cf751c

    • memory/292-2-0x000000002FAC1000-0x000000002FAC4000-memory.dmp
      Filesize

      12KB

    • memory/292-3-0x0000000071CE1000-0x0000000071CE3000-memory.dmp
      Filesize

      8KB

    • memory/292-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/292-5-0x0000000005A00000-0x0000000005A02000-memory.dmp
      Filesize

      8KB

    • memory/544-7-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp
      Filesize

      2.5MB

    • memory/1184-8-0x0000000000000000-mapping.dmp