Analysis
-
max time kernel
136s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 01:59
General
-
Target
SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm
-
Size
244KB
-
MD5
465073cff94c47ab863e5e9a5822c35d
-
SHA1
be9cb1aa91056bbb4d9b8ad82b43ffdb85dbe36a
-
SHA256
749f0d02e40de3105c7086ae9073dd71ea494ab873cc1b32bc4ae25ac72d892e
-
SHA512
d11e4095a55b7388635b7eaf0bba3295a7d70ffa9d57b255ba97244c63952aa802adf95cf4fad6c44530b8c83cd2def1959ff4a7b722bbc27a170e3c187df650
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmic.exewmic os get /format:"C:\Users\Admin\AppData\Roaming\9851.xsl"1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//udwsf.dll ValidateLog2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\9851.xslMD5
aaa575a16cc212a693ec78839e272f17
SHA14f6121081623907392b3443ce44a032ab1bfe3d9
SHA2560f247ff2e81d41f5309a3df9278654e245ade659b3b539199035bff43b0109f6
SHA5126780fdbd1ddb57bdf6908bec4c4518c5ae4ee02b48668cacda295a60ebedb3cef62fc0856921b15a2af426f256fa6eeea5af8cf99fcb47b477b31b0ede7f45a3
-
C:\Windows\Temp\udwsf.dllMD5
32b41998250587602b2d569c4014b168
SHA1f8e604129a8caa356c5bc87f30424ce6be2fbd23
SHA25628c835edaf273914c70cbee32ecff4c9c9102961d50edcb9a5f7c192ab0efb64
SHA5124cf49cf11531f7b9ae2f246270ef224907fc2355cfeb3017d515dc8d916dd25009e81cf56dd2b40e335f53c55c587de56484407dff674bd0c4c53a2c06ae2854
-
memory/2304-9-0x0000000000000000-mapping.dmp
-
memory/4764-2-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-3-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-4-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-6-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-5-0x00007FFAEE530000-0x00007FFAEEB67000-memory.dmpFilesize
6.2MB
-
memory/4764-7-0x000001F96FD20000-0x000001F96FD24000-memory.dmpFilesize
16KB