Overview

overview

10

Static

static

6bfaff1d98...7d.exe

windows7_x64

8

6bfaff1d98...7d.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-05-2021 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe

  • Size

    507KB

  • MD5

    56a65bdcd8ac98ea90b9aec9bfe2b5e4

  • SHA1

    189fde58d647edd83940de632dde978dd7a3823c

  • SHA256

    6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d

  • SHA512

    3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f

Score
8/10
macropersistencexlm

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
      "C:\Users\Admin\AppData\Local\Temp\6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe
        "C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Users\Admin\AppData\Local\Temp\~2932.tmp
          "C:\Users\Admin\AppData\Local\Temp\~2932.tmp"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1820
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~2CEA.tmp.doc"
        3⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:1984
    • C:\Windows\SysWOW64\bitsInit.exe
      C:\Windows\SysWOW64\bitsInit.exe -k
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1324

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~2932.tmp
      MD5

      e3d332acf4fb9f3e5c3ea348db8aa3b2

      SHA1

      6eeb9643e98d04f4a4d294b60a327a8ec7504959

      SHA256

      e00c8cbcd9451eea71ecd5d41b0fac1336abc0aa896a177e2ec3b608b3ee5388

      SHA512

      a93eb33dabb98f58d9ca14f3141b7059bae27814c0281cb40e85d6977d0608760016fc965cbe2ad1006fab3d24dff327b44bf80c6a9a212f7ded29454c07d522

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~2CEA.tmp.doc
      MD5

      149f0098b9faa6bcf9a8f7f2aed29fc9

      SHA1

      244de26e12de2d715cf3a869e932a6d21b3a8b1e

      SHA256

      34969e2f18eae8c5b9bf68dbfe92aeee74c05206237498231d03d95a0ed1941f

      SHA512

      f98135fcaff860b66bf73fa46fb72375a5b9ee8865af113b793a85eaa5bc020c3f716c9b2709252008978071fd02be620428be8e39fefdd533a0cc3e1c207056

      Download Submit
    • C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe
      MD5

      e086825688a8e982660c6a352c3def67

      SHA1

      4164f1f9417952f2792255ff607e3ebe712a5d9a

      SHA256

      d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227

      SHA512

      3ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe
      MD5

      e086825688a8e982660c6a352c3def67

      SHA1

      4164f1f9417952f2792255ff607e3ebe712a5d9a

      SHA256

      d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227

      SHA512

      3ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b

      Download Submit
    • C:\Windows\SysWOW64\bitsInit.exe
      MD5

      56a65bdcd8ac98ea90b9aec9bfe2b5e4

      SHA1

      189fde58d647edd83940de632dde978dd7a3823c

      SHA256

      6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d

      SHA512

      3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f

      Download Submit
    • C:\Windows\SysWOW64\bitsInit.exe
      MD5

      56a65bdcd8ac98ea90b9aec9bfe2b5e4

      SHA1

      189fde58d647edd83940de632dde978dd7a3823c

      SHA256

      6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d

      SHA512

      3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\~2932.tmp
      MD5

      e3d332acf4fb9f3e5c3ea348db8aa3b2

      SHA1

      6eeb9643e98d04f4a4d294b60a327a8ec7504959

      SHA256

      e00c8cbcd9451eea71ecd5d41b0fac1336abc0aa896a177e2ec3b608b3ee5388

      SHA512

      a93eb33dabb98f58d9ca14f3141b7059bae27814c0281cb40e85d6977d0608760016fc965cbe2ad1006fab3d24dff327b44bf80c6a9a212f7ded29454c07d522

      Download Submit
    • \Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe
      MD5

      e086825688a8e982660c6a352c3def67

      SHA1

      4164f1f9417952f2792255ff607e3ebe712a5d9a

      SHA256

      d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227

      SHA512

      3ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b

      Download Submit
    • \Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe
      MD5

      e086825688a8e982660c6a352c3def67

      SHA1

      4164f1f9417952f2792255ff607e3ebe712a5d9a

      SHA256

      d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227

      SHA512

      3ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b

      Download Submit
    • memory/796-64-0x0000000000000000-mapping.dmp
      Download
    • memory/796-74-0x0000000000070000-0x00000000000B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1060-79-0x000000006FAF1000-0x000000006FAF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1060-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1060-78-0x0000000072071000-0x0000000072074000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1060-80-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1060-84-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1244-75-0x0000000002C20000-0x0000000002C63000-memory.dmp
      Filesize

      268KB

      Download
    • memory/1324-76-0x00000000003E0000-0x0000000000472000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1636-60-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-61-0x0000000000120000-0x00000000001B2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1820-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-82-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-83-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
      Filesize

      8KB

      Download