Overview

overview

10

Static

static

8

Invoice-IOMVP.xlsb

windows7_x64

10

Invoice-IOMVP.xlsb

windows10_x64

1

Analysis

  • max time kernel
    141s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-10-2021 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice-IOMVP.xlsb

  • Size

    315KB

  • MD5

    2cab816d158d5e2d84fab6d37b377c92

  • SHA1

    581824c7553ad46aae4db994f80ea375d2273664

  • SHA256

    d7105039328f0029cddf86ed266c29a4aab078fb5f04506b95922466f709a513

  • SHA512

    9b6a23bec6dd7945dd4d6ffd0ab00656d5b7c54dee79946d2cf969cb3f715a228697763699e15c9302d44333c6a44549452fb415dba405bad0dee9aa61635059

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice-IOMVP.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic process call create 'mshta C:\ProgramData\jGKaooqEDeGraw.rtf'
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:520
  • C:\Windows\system32\mshta.exe
    mshta C:\ProgramData\jGKaooqEDeGraw.rtf
    1⤵
    • Process spawned unexpected child process
    • Modifies Internet Explorer settings
    PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jGKaooqEDeGraw.rtf
    MD5

    31caf86f93a425b2807eaab9095968f2

    SHA1

    280c285d680626e69c86db35b2e7a41a591aa898

    SHA256

    fd93ba788727b818dbed02edde316946e7d8930e2b65f8808cc842750c0162ec

    SHA512

    b7b89bf080ecbb70f9207a937e2c5c32c47f05dff922582ea717e3344895bfbe76ccba2472c1f34b55d982a020414e2a1b537fd02eda6937c428160a8a873add

    Download Submit
  • memory/520-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1892-60-0x000000002FB91000-0x000000002FB94000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1892-61-0x00000000714E1000-0x00000000714E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1892-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1892-64-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download