Overview

overview

10

Static

static

8

Invoice-59...4.xlsb

windows7_x64

10

Invoice-59...4.xlsb

windows10_x64

10

Resubmissions

09-12-2021 18:02

211209-wmyz3aeefp 10

09-12-2021 13:52

211209-q6fpyadeck 10

18-10-2021 09:36

211018-lkztgaecbm 10

04-10-2021 17:53

211004-wgpjfaggb4 10

Analysis

  • max time kernel
    122s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    04-10-2021 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice-5959498320211004.xlsb

  • Size

    132KB

  • MD5

    887bc475305003bdc34e671a2f3bd080

  • SHA1

    7625f787be7479bf54addeff0ce7107cf0f59f23

  • SHA256

    7e0b4b26bafd471703fac1db25b24936230aecad95732e66420184d717a111ee

  • SHA512

    efb52e8c1fdf6e7cbc80b951220e25c78be0aad5c24b732696784b9b4d5d2c7a284df11fb0f524f64fa3f39a887069599c91f5233062d2aa8c01617104dd9ccd

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice-5959498320211004.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic process call create 'mshta C:\ProgramData\vlEUL.rtf'
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
  • C:\Windows\system32\mshta.exe
    mshta C:\ProgramData\vlEUL.rtf
    1⤵
    • Process spawned unexpected child process
    • Modifies Internet Explorer settings
    PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\vlEUL.rtf
    MD5

    031c5dfeaa97b80bff2c5fd7999352ac

    SHA1

    0e89ec2d13631c157f7e577b7617099bc5e45cd5

    SHA256

    6fbff6199b9a527c7a6c5ccec275a8ffda62f13b4ad29700075c2a8c217b11b6

    SHA512

    766d84ace8e3d0683ab534c2c45bbedbd731121f0bf330edef51ae787350b8a6c81b6d0e103832c185677cdf778bd5567c877ff5e90e3e7ec2ed298c1f11529c

    Download Submit
  • memory/1640-63-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-60-0x000000002FB51000-0x000000002FB54000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2004-61-0x0000000071B91000-0x0000000071B93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2004-64-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download