Analysis
-
max time kernel
136s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 01:59
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm
-
Size
244KB
-
MD5
465073cff94c47ab863e5e9a5822c35d
-
SHA1
be9cb1aa91056bbb4d9b8ad82b43ffdb85dbe36a
-
SHA256
749f0d02e40de3105c7086ae9073dd71ea494ab873cc1b32bc4ae25ac72d892e
-
SHA512
d11e4095a55b7388635b7eaf0bba3295a7d70ffa9d57b255ba97244c63952aa802adf95cf4fad6c44530b8c83cd2def1959ff4a7b722bbc27a170e3c187df650
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 4336 wmic.exe -
Blocklisted process makes network request 2 IoCs
Processes:
wmic.exeflow pid process 24 4400 wmic.exe 25 4400 wmic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4764 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4400 wmic.exe Token: SeSecurityPrivilege 4400 wmic.exe Token: SeTakeOwnershipPrivilege 4400 wmic.exe Token: SeLoadDriverPrivilege 4400 wmic.exe Token: SeSystemProfilePrivilege 4400 wmic.exe Token: SeSystemtimePrivilege 4400 wmic.exe Token: SeProfSingleProcessPrivilege 4400 wmic.exe Token: SeIncBasePriorityPrivilege 4400 wmic.exe Token: SeCreatePagefilePrivilege 4400 wmic.exe Token: SeBackupPrivilege 4400 wmic.exe Token: SeRestorePrivilege 4400 wmic.exe Token: SeShutdownPrivilege 4400 wmic.exe Token: SeDebugPrivilege 4400 wmic.exe Token: SeSystemEnvironmentPrivilege 4400 wmic.exe Token: SeRemoteShutdownPrivilege 4400 wmic.exe Token: SeUndockPrivilege 4400 wmic.exe Token: SeManageVolumePrivilege 4400 wmic.exe Token: 33 4400 wmic.exe Token: 34 4400 wmic.exe Token: 35 4400 wmic.exe Token: 36 4400 wmic.exe Token: SeIncreaseQuotaPrivilege 4400 wmic.exe Token: SeSecurityPrivilege 4400 wmic.exe Token: SeTakeOwnershipPrivilege 4400 wmic.exe Token: SeLoadDriverPrivilege 4400 wmic.exe Token: SeSystemProfilePrivilege 4400 wmic.exe Token: SeSystemtimePrivilege 4400 wmic.exe Token: SeProfSingleProcessPrivilege 4400 wmic.exe Token: SeIncBasePriorityPrivilege 4400 wmic.exe Token: SeCreatePagefilePrivilege 4400 wmic.exe Token: SeBackupPrivilege 4400 wmic.exe Token: SeRestorePrivilege 4400 wmic.exe Token: SeShutdownPrivilege 4400 wmic.exe Token: SeDebugPrivilege 4400 wmic.exe Token: SeSystemEnvironmentPrivilege 4400 wmic.exe Token: SeRemoteShutdownPrivilege 4400 wmic.exe Token: SeUndockPrivilege 4400 wmic.exe Token: SeManageVolumePrivilege 4400 wmic.exe Token: 33 4400 wmic.exe Token: 34 4400 wmic.exe Token: 35 4400 wmic.exe Token: 36 4400 wmic.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4764 EXCEL.EXE 4764 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE 4764 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wmic.exedescription pid process target process PID 4400 wrote to memory of 2304 4400 wmic.exe rundll32.exe PID 4400 wrote to memory of 2304 4400 wmic.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.21486.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4764
-
C:\Windows\system32\wbem\wmic.exewmic os get /format:"C:\Users\Admin\AppData\Roaming\9851.xsl"1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//udwsf.dll ValidateLog2⤵PID:2304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\9851.xslMD5
aaa575a16cc212a693ec78839e272f17
SHA14f6121081623907392b3443ce44a032ab1bfe3d9
SHA2560f247ff2e81d41f5309a3df9278654e245ade659b3b539199035bff43b0109f6
SHA5126780fdbd1ddb57bdf6908bec4c4518c5ae4ee02b48668cacda295a60ebedb3cef62fc0856921b15a2af426f256fa6eeea5af8cf99fcb47b477b31b0ede7f45a3
-
C:\Windows\Temp\udwsf.dllMD5
32b41998250587602b2d569c4014b168
SHA1f8e604129a8caa356c5bc87f30424ce6be2fbd23
SHA25628c835edaf273914c70cbee32ecff4c9c9102961d50edcb9a5f7c192ab0efb64
SHA5124cf49cf11531f7b9ae2f246270ef224907fc2355cfeb3017d515dc8d916dd25009e81cf56dd2b40e335f53c55c587de56484407dff674bd0c4c53a2c06ae2854
-
memory/2304-9-0x0000000000000000-mapping.dmp
-
memory/4764-2-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-3-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-4-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-6-0x00007FFACA170000-0x00007FFACA180000-memory.dmpFilesize
64KB
-
memory/4764-5-0x00007FFAEE530000-0x00007FFAEEB67000-memory.dmpFilesize
6.2MB
-
memory/4764-7-0x000001F96FD20000-0x000001F96FD24000-memory.dmpFilesize
16KB