Resubmissions
21-04-2021 16:14
210421-ygskj3c65s 1021-04-2021 16:13
210421-hb7vkpnwme 821-04-2021 16:09
210421-yxfjrtzzx6 10Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 16:09
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #035.xlsm
Resource
win7v20210408
General
-
Target
Invoice #035.xlsm
-
Size
155KB
-
MD5
77f482d7c33d70474d451cf2546f4b4f
-
SHA1
9ef86f2a8171e50ec5734886d895885280e029d8
-
SHA256
8bdcc1592ffaee9154ed4331a44fa52af3b2baebbd4ef71840adc73b38635d9e
-
SHA512
f656c8f2a14ddb066469f20ab5303f5a0ec18d17648e67a59fde4902dc923f5a70fe4cc4964251a705275e98073df76821ec6e3ee8d93982fb86ec71a698404a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3968 3656 rundll32.exe EXCEL.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1604 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3656 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE 3656 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 3656 wrote to memory of 3968 3656 EXCEL.EXE rundll32.exe PID 3656 wrote to memory of 3968 3656 EXCEL.EXE rundll32.exe PID 3968 wrote to memory of 1604 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1604 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1604 3968 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice #035.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\43590..dll" JsVarAddRef2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\43590..dll" JsVarAddRef3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\43590..dllMD5
bbcb7773041252a774459af0c14118c2
SHA11744d5de251afe5c07ee4ff144b01239d62f58b7
SHA2561adc9f81859ab8ca08975362f5b76bb00e72612f26e741a6791074c19b60547d
SHA512911b279ec6b2af0725d54df83fe5583d12fbc7d633239fe1435bf444b0b49e9f3500ff43978ca75eb897300bd526732021f6d8f5e0af51cc6f4376e5b2f856f2
-
\Users\Admin\AppData\Roaming\43590..dllMD5
bbcb7773041252a774459af0c14118c2
SHA11744d5de251afe5c07ee4ff144b01239d62f58b7
SHA2561adc9f81859ab8ca08975362f5b76bb00e72612f26e741a6791074c19b60547d
SHA512911b279ec6b2af0725d54df83fe5583d12fbc7d633239fe1435bf444b0b49e9f3500ff43978ca75eb897300bd526732021f6d8f5e0af51cc6f4376e5b2f856f2
-
memory/1604-183-0x0000000003180000-0x0000000003186000-memory.dmpFilesize
24KB
-
memory/1604-181-0x0000000000000000-mapping.dmp
-
memory/3656-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3656-122-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3656-121-0x00007FF87ABF0000-0x00007FF87BCDE000-memory.dmpFilesize
16.9MB
-
memory/3656-123-0x00007FF878CF0000-0x00007FF87ABE5000-memory.dmpFilesize
31.0MB
-
memory/3656-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3656-114-0x00007FF711840000-0x00007FF714DF6000-memory.dmpFilesize
53.7MB
-
memory/3656-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3656-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3968-179-0x0000000000000000-mapping.dmp