Overview

overview

10

Static

static

8

Invoice-63...3.xlsb

windows7_x64

10

Invoice-63...3.xlsb

windows10_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    13-10-2021 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice-630405_20211013.xlsb

  • Size

    283KB

  • MD5

    4a017ea95998067010e773e0047643c8

  • SHA1

    c4c6344280074cc96f7ccfbe99c9c2483c5cbe50

  • SHA256

    08d2efae12306032ed57faac347ddfade5192a382612014409216497e6e3ff51

  • SHA512

    f31a6267a53c35535716e7a162fc4ddd3582b98a7444f4a3cf70226fce1f7adb28cbbab9c16b08b730111c43d9556778074cfe4baa0d00516503750fc13cf5ea

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice-630405_20211013.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process call create 'mshta C:\ProgramData\ubZVowtaYzhCZEz.rtf'
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
  • C:\Windows\system32\mshta.exe
    mshta C:\ProgramData\ubZVowtaYzhCZEz.rtf
    1⤵
    • Process spawned unexpected child process
    PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ubZVowtaYzhCZEz.rtf
    MD5

    cdc72376df95397e44787c6683ba2485

    SHA1

    5cbc8724c3444eaa2d5b17e299e2ab9de136ad68

    SHA256

    451408c55bfd913a8f1f295a58a6dc20c9bfef11adacf3988597dc728c05ca40

    SHA512

    2380e4e0b449f0c8997af44251f26d0c32ce48d01431e6cc31c6c1d20ec9fb8cc28fd32504d529074ed2bb4059f01f217ac56578cc6917d4f20c01b6f0095532

    Download Submit
  • memory/2160-115-0x00007FF937A30000-0x00007FF937A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-116-0x00007FF937A30000-0x00007FF937A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-117-0x00007FF937A30000-0x00007FF937A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-118-0x00007FF937A30000-0x00007FF937A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-119-0x0000026AA9A40000-0x0000026AA9A42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2160-120-0x0000026AA9A40000-0x0000026AA9A42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2160-121-0x00007FF937A30000-0x00007FF937A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-122-0x0000026AA9A40000-0x0000026AA9A42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2160-128-0x00007FF934D50000-0x00007FF934D60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2160-129-0x00007FF934D50000-0x00007FF934D60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2868-284-0x0000000000000000-mapping.dmp
    Download