Analysis

  • max time kernel
    136s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-03-2021 03:36

General

  • Target

    SecuriteInfo.com.VB.Heur2.EmoDldr.16.17436866.Gen.19501.16600.xlsm

  • Size

    254KB

  • MD5

    389b02e6843fe288c18f784be63df9c1

  • SHA1

    2d86d4f667515c092984fd02ce99d20aac3608c5

  • SHA256

    21bf810cf015e8ffec9b844632a94274d9d387ad528e7d75adf116acea5a4d4b

  • SHA512

    4063a50788eb5f896c9d68fbcdf3f621d1c63b3a091c5d67699c2926499f1fd7a7b0dfee76c2a15cc907230c9cf64c859ab96e5b3885f33e9f42d544905fd764

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.16.17436866.Gen.19501.16600.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1032
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\333FC.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//lu8wm.dll ValidateLog
      2⤵
        PID:1196

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\333FC.xsl
      MD5

      7c1761fd4a2a5addc3ed8cd08ceb249c

      SHA1

      6d8148cc3ad46e0f3ca55914bac32e7d87b04987

      SHA256

      0f3767b58eff56ec41893843466eb3fcef36ac834b02bcb3fea1646f4e98b55e

      SHA512

      dcaea5ca1f512e2edd74363ef9bed840697c810f818b71f6a406b1f6d8f50d70c477556ba83f4056cec3d52385d77548951da98ae072db89e310712d3f4963d8

    • C:\Windows\Temp\lu8wm.dll
      MD5

      e094ee1b3ffefc84819e95aed1c28bf0

      SHA1

      54092cbe67c81dd25e98ff3ca1a2a8153053f74e

      SHA256

      477beeeea2c6e63cede5da374775a2c13dda91dc39cbf4d3408116362d8591bd

      SHA512

      30ce42c4df639f252d8a656b37327d0089e2d309e196aec6ce2d5dc8e2baac7949fdb80a21f641ba1846cdd3c0a6796866a6135bbf288a3f3c2748a15883216a

    • memory/1032-2-0x00007FFC119D0000-0x00007FFC119E0000-memory.dmp
      Filesize

      64KB

    • memory/1032-3-0x00007FFC119D0000-0x00007FFC119E0000-memory.dmp
      Filesize

      64KB

    • memory/1032-4-0x00007FFC119D0000-0x00007FFC119E0000-memory.dmp
      Filesize

      64KB

    • memory/1032-5-0x00007FFC119D0000-0x00007FFC119E0000-memory.dmp
      Filesize

      64KB

    • memory/1032-6-0x00007FFC35800000-0x00007FFC35E37000-memory.dmp
      Filesize

      6.2MB

    • memory/1032-7-0x0000026101A20000-0x0000026101A24000-memory.dmp
      Filesize

      16KB

    • memory/1196-9-0x0000000000000000-mapping.dmp