Overview

overview

10

Static

static

8

SecuriteIn...0.xlsm

windows7_x64

10

SecuriteIn...0.xlsm

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-03-2021 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.VB.Heur.EmoDldr.32.81663039.Gen.10010.7990.xlsm

  • Size

    207KB

  • MD5

    f01bd4e45d3e569d12ec52b344194a1d

  • SHA1

    13c0a12b06327c9e9befee9b73963cc347422644

  • SHA256

    bc6a0298947129748c84a0ad5ea1406a826489729ac79ee5a89fd6176f3483c4

  • SHA512

    5274672d35ea7654b9084102cda57dc2cc9ca174897946a5edd2be4f281bde41b4b5d481f6726e4c02040c0c9ca166a6fe7e74b6f7ecf50fa855d20968ba928e

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur.EmoDldr.32.81663039.Gen.10010.7990.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:548
  • C:\Windows\system32\wbem\wmic.exe
    wmic os get /format:"C:\Users\Admin\AppData\Roaming\1665B.xsl"
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//9mw9o.dll JsRelease
      2⤵
        PID:788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\1665B.xsl
      MD5

      7f178df088edc04d2faa9ae9cb4e2054

      SHA1

      3ed636050c8dd3706b059e2187da6e20e091b3d8

      SHA256

      11b3af9ce4bed226540438919082eb2b89dec65afcfb5ad7932080a2ba43f83b

      SHA512

      4a26f255c963b9fab914087ee4e288602f0e2d9979a239e5b3a3cdd71e42ea1a4f5ba32d79342e50520703a8acebfc66e6638a2e88096acbf6eb25c7d9ebc717

      Download Submit
    • C:\Windows\Temp\9mw9o.dll
      MD5

      81756d2968ec413b4219af716ccfc2c8

      SHA1

      86a2811436cc107447f702906f982c302bc03f24

      SHA256

      fa6cea90568b13102191684f1175be39350e8f8861ec2b44c70ef91035a67af6

      SHA512

      24084695f5c35f7ed189933572603ffd0a3343f41f8df5092106c6aa533d085a08a9261d182eb586fc7ea0c2c61030ff2341e7e83cd6e0bea051caba1d6ecadf

      Download Submit
    • memory/548-2-0x000000002F191000-0x000000002F194000-memory.dmp
      Filesize

      12KB

      Download
    • memory/548-3-0x0000000071AA1000-0x0000000071AA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/548-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/548-5-0x00000000059E0000-0x00000000059E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/576-7-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/788-8-0x0000000000000000-mapping.dmp
      Download