Analysis

  • max time kernel
    101s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    21-04-2021 23:42

General

  • Target

    SecuriteInfo.com.Heur.29862.20151.xlsm

  • Size

    170KB

  • MD5

    b0a053930116048ce5ba43eb505513ee

  • SHA1

    8a22f50fd65575975722cee6169f51e3e497b2e6

  • SHA256

    2db9aba962314d68dd87dd2404ce6533cd28e5bbc2098c591fc23b018c3a3982

  • SHA512

    e9511026d1e7ccf35ec610e7a9664a706610273dd43112ba0b90e531e03cec1c49eb4a4a3c7a093b0e320c718523e15a07ad7221ab5127edf5b7b5180e876249

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.29862.20151.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\24228..dll" JsVarAddRef
      2⤵
      • Process spawned unexpected child process
      PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\24228..dll
    MD5

    6cee0e603d9fe063dcf31a045b56ff2b

    SHA1

    415bbe79c86fa402740a01b7a019091388c1b392

    SHA256

    9e9b5e351532b5894ada203ace2d277420f3c11dda71a54316892115f63df7b3

    SHA512

    c68e35a62f551fed7adcd3dcb041a23a43bfb5c217641158f2979c8fe69f736a94dde64186f9a103f987098a164bd34928500d92df63e3fbe1a7317d7a59c3ab

  • memory/1360-59-0x000000002FE61000-0x000000002FE64000-memory.dmp
    Filesize

    12KB

  • memory/1360-60-0x0000000070E41000-0x0000000070E43000-memory.dmp
    Filesize

    8KB

  • memory/1360-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1360-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1600-62-0x0000000000000000-mapping.dmp
  • memory/1600-63-0x00000000752B1000-0x00000000752B3000-memory.dmp
    Filesize

    8KB