Analysis
-
max time kernel
9s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
VWR CI 290421.xlsx.exe
Resource
win7v20210408
General
-
Target
VWR CI 290421.xlsx.exe
-
Size
331KB
-
MD5
94c33eb1b3a778c5b38d55c5fd40f2ab
-
SHA1
10e1a14fc45346a5d4bccfff8d46bf90929fc66c
-
SHA256
c4c21a36bd1f32a71dd00f0bd2fa78c9ab6cc9df30de77f4f99cb5d0da080cb3
-
SHA512
92b5cbde3ed79d4b1a2fccf8fc29f8d2b5a18ed158bccdda2350b6802d774bd4e2c083b31a9fdb81b67b1712fa9fce175d2e28fded75e0ba0a3918d52c00ffb9
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
VWR CI 290421.xlsx.exepid process 108 VWR CI 290421.xlsx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
VWR CI 290421.xlsx.exedescription pid process target process PID 108 set thread context of 2028 108 VWR CI 290421.xlsx.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
VWR CI 290421.xlsx.exepid process 108 VWR CI 290421.xlsx.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
svchost.exedescription pid process Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeTcbPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeCreateTokenPrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2028 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
VWR CI 290421.xlsx.exesvchost.exedescription pid process target process PID 108 wrote to memory of 2028 108 VWR CI 290421.xlsx.exe svchost.exe PID 108 wrote to memory of 2028 108 VWR CI 290421.xlsx.exe svchost.exe PID 108 wrote to memory of 2028 108 VWR CI 290421.xlsx.exe svchost.exe PID 108 wrote to memory of 2028 108 VWR CI 290421.xlsx.exe svchost.exe PID 108 wrote to memory of 2028 108 VWR CI 290421.xlsx.exe svchost.exe PID 2028 wrote to memory of 868 2028 svchost.exe cmd.exe PID 2028 wrote to memory of 868 2028 svchost.exe cmd.exe PID 2028 wrote to memory of 868 2028 svchost.exe cmd.exe PID 2028 wrote to memory of 868 2028 svchost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VWR CI 290421.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\VWR CI 290421.xlsx.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\VWR CI 290421.xlsx.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259289074.bat" "C:\Windows\SysWOW64\svchost.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259289074.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
\Users\Admin\AppData\Local\Temp\nsn51F9.tmp\xrlqvla0n.dllMD5
587481ce209ff25391ce17827c464cf8
SHA10a20871ae621d6f75e74bf5c4f1ef80333201f89
SHA256f5ffc43f62751866c978c1d5bd24eb7cc1863f58ca22cc12fc333bf9ad667140
SHA512ff637dbdb1b11a8cbbe8a713ed9cd06728aa9d462986c0330712d879449540488b9ee06b24afbce18638fe839b9029e9ca1ab08215d32060608afe8746e2ce78
-
memory/108-60-0x0000000076A01000-0x0000000076A03000-memory.dmpFilesize
8KB
-
memory/108-62-0x00000000002C0000-0x00000000002C2000-memory.dmpFilesize
8KB
-
memory/868-66-0x0000000000000000-mapping.dmp
-
memory/2028-63-0x0000000000410621-mapping.dmp
-
memory/2028-65-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB