Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 10:06
Static task
static1
Behavioral task
behavioral1
Sample
viruss.xlsb
Resource
win7v20210410
Behavioral task
behavioral2
Sample
viruss.xlsb
Resource
win10v20210408
General
-
Target
viruss.xlsb
-
Size
37KB
-
MD5
719009a094c6f3155e7abc537078b943
-
SHA1
c4b3109cf39b301b30e732db7493f3241236ed1f
-
SHA256
a2420c7f0c7bf5d3c0893aff6b7440a09c0531632434d2bbb6f8ed98b04317b9
-
SHA512
6a7ae98bfd2ba970d544566bafdf05ba6eb1ee7b9a19e2f7720f69952e8360bcaa6f532fc7f46b638b5174682b55953f48868245af6c57ab787f31d02d45d0a2
Malware Config
Extracted
raccoon
c021300d0074689fde86c87568e215c582272721
-
url4cnc
https://tttttt.me/ch0koalpengold
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1328 created 3980 1328 WerFault.exe test.exe -
Executes dropped EXE 1 IoCs
Processes:
test.exepid process 3980 test.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 380 3980 WerFault.exe test.exe 1924 3980 WerFault.exe test.exe 1548 3980 WerFault.exe test.exe 2256 3980 WerFault.exe test.exe 1328 3980 WerFault.exe test.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 764 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 380 WerFault.exe Token: SeBackupPrivilege 380 WerFault.exe Token: SeDebugPrivilege 380 WerFault.exe Token: SeDebugPrivilege 1924 WerFault.exe Token: SeDebugPrivilege 1548 WerFault.exe Token: SeDebugPrivilege 2256 WerFault.exe Token: SeDebugPrivilege 1328 WerFault.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 764 EXCEL.EXE 764 EXCEL.EXE 764 EXCEL.EXE 764 EXCEL.EXE 764 EXCEL.EXE 764 EXCEL.EXE 764 EXCEL.EXE 764 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 764 wrote to memory of 3980 764 EXCEL.EXE test.exe PID 764 wrote to memory of 3980 764 EXCEL.EXE test.exe PID 764 wrote to memory of 3980 764 EXCEL.EXE test.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\viruss.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe2⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 7523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 8563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 7363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 8923⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 8963⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
7a09cabba9c55ae1d5c1255dafa94366
SHA1d39c39dd600e3081213ed627a13ed2b4003531f5
SHA256833c8c34a6c6dcdeaeeff648f0db155c5401bc03f538b2153bdc3bc970bb4e1b
SHA512cff43d8648cf339a04284fee3690cfffb6d02832290308fa930186f3470fb1bfb95f739b8ee724dcdcb341f923ac5536daa972932d1a34d4c49c4ca399fadacf
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
7a09cabba9c55ae1d5c1255dafa94366
SHA1d39c39dd600e3081213ed627a13ed2b4003531f5
SHA256833c8c34a6c6dcdeaeeff648f0db155c5401bc03f538b2153bdc3bc970bb4e1b
SHA512cff43d8648cf339a04284fee3690cfffb6d02832290308fa930186f3470fb1bfb95f739b8ee724dcdcb341f923ac5536daa972932d1a34d4c49c4ca399fadacf
-
memory/764-122-0x00007FF9BA050000-0x00007FF9BB13E000-memory.dmpFilesize
16.9MB
-
memory/764-117-0x00007FF999990000-0x00007FF9999A0000-memory.dmpFilesize
64KB
-
memory/764-118-0x00007FF999990000-0x00007FF9999A0000-memory.dmpFilesize
64KB
-
memory/764-121-0x00007FF999990000-0x00007FF9999A0000-memory.dmpFilesize
64KB
-
memory/764-114-0x00007FF6EC300000-0x00007FF6EF8B6000-memory.dmpFilesize
53.7MB
-
memory/764-123-0x00007FF9B8150000-0x00007FF9BA045000-memory.dmpFilesize
31.0MB
-
memory/764-116-0x00007FF999990000-0x00007FF9999A0000-memory.dmpFilesize
64KB
-
memory/764-115-0x00007FF999990000-0x00007FF9999A0000-memory.dmpFilesize
64KB
-
memory/3980-179-0x0000000000000000-mapping.dmp
-
memory/3980-182-0x00000000021F0000-0x0000000002281000-memory.dmpFilesize
580KB
-
memory/3980-183-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB