Analysis

  • max time kernel
    73s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-03-2021 01:59

General

  • Target

    SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm

  • Size

    244KB

  • MD5

    465073cff94c47ab863e5e9a5822c35d

  • SHA1

    be9cb1aa91056bbb4d9b8ad82b43ffdb85dbe36a

  • SHA256

    749f0d02e40de3105c7086ae9073dd71ea494ab873cc1b32bc4ae25ac72d892e

  • SHA512

    d11e4095a55b7388635b7eaf0bba3295a7d70ffa9d57b255ba97244c63952aa802adf95cf4fad6c44530b8c83cd2def1959ff4a7b722bbc27a170e3c187df650

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1752
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\9851.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//sbsbu.dll ValidateLog
      2⤵
        PID:1536

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\9851.xsl
      MD5

      aaa575a16cc212a693ec78839e272f17

      SHA1

      4f6121081623907392b3443ce44a032ab1bfe3d9

      SHA256

      0f247ff2e81d41f5309a3df9278654e245ade659b3b539199035bff43b0109f6

      SHA512

      6780fdbd1ddb57bdf6908bec4c4518c5ae4ee02b48668cacda295a60ebedb3cef62fc0856921b15a2af426f256fa6eeea5af8cf99fcb47b477b31b0ede7f45a3

    • C:\Windows\Temp\sbsbu.dll
      MD5

      aaf2df3829e1dc256c18772165d8e084

      SHA1

      cab4a366af8e264458817d8609393e390cf5a951

      SHA256

      72f6ce13a7e2197ee434085119c4efa337b3431294ec44555f229d3e8c9d4d3a

      SHA512

      5998ad055eebb831ed40618e4376604abe36565d0ce4336d0d58e0df6c44c0e6f0cfd0adac530122595581436a14e3c4781330d4b6087fdedf4572e67fa2d850

    • memory/952-7-0x000007FEF7160000-0x000007FEF73DA000-memory.dmp
      Filesize

      2.5MB

    • memory/1536-8-0x0000000000000000-mapping.dmp
    • memory/1752-2-0x000000002FDD1000-0x000000002FDD4000-memory.dmp
      Filesize

      12KB

    • memory/1752-3-0x0000000071011000-0x0000000071013000-memory.dmp
      Filesize

      8KB

    • memory/1752-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1752-5-0x0000000005B50000-0x0000000005B52000-memory.dmp
      Filesize

      8KB