Analysis
-
max time kernel
104s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 17:04
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #035.xlsm
Resource
win7v20210408
General
-
Target
Invoice #035.xlsm
-
Size
155KB
-
MD5
77f482d7c33d70474d451cf2546f4b4f
-
SHA1
9ef86f2a8171e50ec5734886d895885280e029d8
-
SHA256
8bdcc1592ffaee9154ed4331a44fa52af3b2baebbd4ef71840adc73b38635d9e
-
SHA512
f656c8f2a14ddb066469f20ab5303f5a0ec18d17648e67a59fde4902dc923f5a70fe4cc4964251a705275e98073df76821ec6e3ee8d93982fb86ec71a698404a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3520 3944 rundll32.exe EXCEL.EXE -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2620 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3944 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE 3944 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 3944 wrote to memory of 3520 3944 EXCEL.EXE rundll32.exe PID 3944 wrote to memory of 3520 3944 EXCEL.EXE rundll32.exe PID 3520 wrote to memory of 2620 3520 rundll32.exe rundll32.exe PID 3520 wrote to memory of 2620 3520 rundll32.exe rundll32.exe PID 3520 wrote to memory of 2620 3520 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice #035.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\43590..dll" JsVarAddRef2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\43590..dll" JsVarAddRef3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\43590..dllMD5
8795a6a11cfe87be8ad805ec83baa5b2
SHA1135bd9dda8242619d8e4f3b472477de8bb7788e8
SHA25615a3d386af1b81a23eef79200a3de16c76ffb06b25fe9c11b9b6f0d5a5d0aec7
SHA512743d578af7df4c9b3c2570a8f030bb12ae2c60cc41b9e25eef7d456e71ec75024dc9ddf7c5e9fa467dbc5308d4a18b8e28ed442726bcbfae1b7f084a3e224063
-
\Users\Admin\AppData\Roaming\43590..dllMD5
8795a6a11cfe87be8ad805ec83baa5b2
SHA1135bd9dda8242619d8e4f3b472477de8bb7788e8
SHA25615a3d386af1b81a23eef79200a3de16c76ffb06b25fe9c11b9b6f0d5a5d0aec7
SHA512743d578af7df4c9b3c2570a8f030bb12ae2c60cc41b9e25eef7d456e71ec75024dc9ddf7c5e9fa467dbc5308d4a18b8e28ed442726bcbfae1b7f084a3e224063
-
memory/2620-183-0x0000000002D30000-0x0000000002D36000-memory.dmpFilesize
24KB
-
memory/2620-181-0x0000000000000000-mapping.dmp
-
memory/3520-179-0x0000000000000000-mapping.dmp
-
memory/3944-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3944-121-0x00007FFDC2F70000-0x00007FFDC405E000-memory.dmpFilesize
16.9MB
-
memory/3944-123-0x00007FFDC1070000-0x00007FFDC2F65000-memory.dmpFilesize
31.0MB
-
memory/3944-122-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3944-118-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3944-114-0x00007FF793FB0000-0x00007FF797566000-memory.dmpFilesize
53.7MB
-
memory/3944-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3944-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB