Analysis
-
max time kernel
103s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 17:35
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #2744.xlsm
Resource
win7v20210410
General
-
Target
Invoice #2744.xlsm
-
Size
196KB
-
MD5
bad9949e5f34dea3453014179e9f4705
-
SHA1
4593a7d5c39f17b357923a8ca450353e4267d305
-
SHA256
c0fb3410e2ddca4fff784a5aa09f4bc22d46db70a23f934ed69c42c8b98c9d36
-
SHA512
1090732f6f64d502e6531c26fcf7fb25b6323cb60cb36d9be3281312f66d36505727db08542885938e66c5a7f4106f5e90ef99a58318ef74a8dff4f27bf8c712
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1784 4008 rundll32.exe EXCEL.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2400 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4008 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 4008 wrote to memory of 1784 4008 EXCEL.EXE rundll32.exe PID 4008 wrote to memory of 1784 4008 EXCEL.EXE rundll32.exe PID 1784 wrote to memory of 2400 1784 rundll32.exe rundll32.exe PID 1784 wrote to memory of 2400 1784 rundll32.exe rundll32.exe PID 1784 wrote to memory of 2400 1784 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice #2744.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\2200..dll" JsVarAddRef2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\2200..dll" JsVarAddRef3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2200..dllMD5
9099f93a131065d0c84a7b27c5e6225b
SHA108fe0345e15029f06c70109833cfcb641e36dc2e
SHA2561a245e6b71db0d64fe0d27a113583bef2a65d0fdf3e183c459e6a768504eb79c
SHA512809eaef442597a8da6d84a8eedb5cfab391f23b728afefd68be20604871680f8c92249642df97b531696224b8f08c80596a029b58ea8f3690d08060491cd726a
-
\Users\Admin\AppData\Roaming\2200..dllMD5
9099f93a131065d0c84a7b27c5e6225b
SHA108fe0345e15029f06c70109833cfcb641e36dc2e
SHA2561a245e6b71db0d64fe0d27a113583bef2a65d0fdf3e183c459e6a768504eb79c
SHA512809eaef442597a8da6d84a8eedb5cfab391f23b728afefd68be20604871680f8c92249642df97b531696224b8f08c80596a029b58ea8f3690d08060491cd726a
-
memory/1784-179-0x0000000000000000-mapping.dmp
-
memory/2400-183-0x00000000009B0000-0x00000000009B6000-memory.dmpFilesize
24KB
-
memory/2400-181-0x0000000000000000-mapping.dmp
-
memory/4008-117-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4008-122-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4008-123-0x00000211BAE20000-0x00000211BCD15000-memory.dmpFilesize
31.0MB
-
memory/4008-121-0x00007FFF976A0000-0x00007FFF9878E000-memory.dmpFilesize
16.9MB
-
memory/4008-118-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4008-114-0x00007FF670F10000-0x00007FF6744C6000-memory.dmpFilesize
53.7MB
-
memory/4008-116-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4008-115-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB