Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-05-2021 15:34
Static task
static1
Behavioral task
behavioral1
Sample
ExcelViewerss.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ExcelViewerss.exe
Resource
win10v20210410
General
-
Target
ExcelViewerss.exe
-
Size
571KB
-
MD5
40d56ef0857cd5fe0ba21d20c73686e2
-
SHA1
90a8bdadbdebfcaf3a1e146472d56db7d531f921
-
SHA256
d1623332c586135747a2575bec4ee783f299c5fca0f527f0328ea47691e9506d
-
SHA512
74953fa8056f17e96831cf932a482907af00ef22008a4c829da339d3c55fb9696ba812c605155486971cdc4427cb85bf4d63f0e29ffdb46c602be083bdcdc038
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/932-119-0x0000000000400000-0x00000000004F6000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ExcelViewerss.exedescription pid process target process PID 3016 set thread context of 932 3016 ExcelViewerss.exe ExcelViewerss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ExcelViewerss.exepid process 3016 ExcelViewerss.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ExcelViewerss.exepid process 932 ExcelViewerss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ExcelViewerss.exedescription pid process Token: SeShutdownPrivilege 932 ExcelViewerss.exe Token: SeCreatePagefilePrivilege 932 ExcelViewerss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ExcelViewerss.exepid process 3016 ExcelViewerss.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ExcelViewerss.exeExcelViewerss.exedescription pid process target process PID 3016 wrote to memory of 932 3016 ExcelViewerss.exe ExcelViewerss.exe PID 3016 wrote to memory of 932 3016 ExcelViewerss.exe ExcelViewerss.exe PID 3016 wrote to memory of 932 3016 ExcelViewerss.exe ExcelViewerss.exe PID 3016 wrote to memory of 932 3016 ExcelViewerss.exe ExcelViewerss.exe PID 932 wrote to memory of 1164 932 ExcelViewerss.exe cmd.exe PID 932 wrote to memory of 1164 932 ExcelViewerss.exe cmd.exe PID 932 wrote to memory of 1164 932 ExcelViewerss.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExcelViewerss.exe"C:\Users\Admin\AppData\Local\Temp\ExcelViewerss.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ExcelViewerss.exe"C:\Users\Admin\AppData\Local\Temp\ExcelViewerss.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nJ3x4QfDj5RhAt3p.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nJ3x4QfDj5RhAt3p.batMD5
b3b091fc34f1311973172f9ff93b5ec1
SHA10265aa403f2c6656977abc00382ee75f11b92e73
SHA2564730af9e595d9f8009cc9c133533945ff7605094bac94dea56fcf77efc5de300
SHA512eeb04c4ca9640e4ef8191b9c5b999370355dee6594ebfd76e7824ddb02360ad8f8e7e7f591cd74a24f0d281e30293b528ba2df5ec4c0dc2c6109092fed37452f
-
memory/932-117-0x00000000004F4AD0-mapping.dmp
-
memory/932-119-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/932-120-0x0000000000500000-0x000000000064A000-memory.dmpFilesize
1.3MB
-
memory/1164-121-0x0000000000000000-mapping.dmp
-
memory/3016-116-0x00000000021E0000-0x00000000021E1000-memory.dmpFilesize
4KB
-
memory/3016-118-0x00000000021F0000-0x00000000021F8000-memory.dmpFilesize
32KB