Overview

overview

10

Static

static

8

Bill_PYWTF0.xlsb

windows7_x64

10

Bill_PYWTF0.xlsb

windows11_x64

1

Bill_PYWTF0.xlsb

windows10_x64

10

Bill_PYWTF0.xlsb

windows10_x64

10

Resubmissions

14-10-2021 15:17

211014-spccasafhl 10

14-10-2021 15:09

211014-sjvaxshhh2 8

Analysis

  • max time kernel
    8s
  • max time network
    137s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    14-10-2021 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bill_PYWTF0.xlsb

  • Size

    264KB

  • MD5

    29be144375ee1609c2c1fd63ae2ff514

  • SHA1

    f37a8d5da9424bd916ed1c572b15173b5f430dd2

  • SHA256

    1296ca015baa3dfae62d8cd6f6c1c1513fb919201a6c11f3df1474700d57fb26

  • SHA512

    7873fffbc179dc3e8b415b72c2c3b736c7f4164e1a8a33c6d38cae5902466059f2fe50adf9ff0f2bba8411d373ceca02a950df9fd263624ab03014cf9879d752

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 40 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Bill_PYWTF0.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4868
  • C:\Windows\System32\Upfc.exe
    C:\Windows\System32\Upfc.exe /launchtype periodic /cv 5HeQu1KvjES1HkKiGcKODQ.0
    1⤵
      PID:3760
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.2
      1⤵
      • Modifies data under HKEY_USERS
      PID:4600
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -s W32Time
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3844
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
        PID:5020
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
        1⤵
          PID:436
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 0572ccaef2b24c13cc022f6927cba2fc 5HeQu1KvjES1HkKiGcKODQ.0.1.0.3.0
          1⤵
            PID:3136
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
            1⤵
              PID:920
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
              1⤵
                PID:2000

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/920-164-0x000001D8718A0000-0x000001D8718A4000-memory.dmp
                Filesize

                16KB

                Download
              • memory/2116-186-0x0000000000000000-mapping.dmp
                Download
              • memory/4868-166-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-185-0x0000027225030000-0x0000027225036000-memory.dmp
                Filesize

                24KB

                Download
              • memory/4868-150-0x00007FFFB9D70000-0x00007FFFB9D80000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-167-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-152-0x00007FFFB9D70000-0x00007FFFB9D80000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-153-0x00007FFFB9D70000-0x00007FFFB9D80000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-154-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-155-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-156-0x00007FFFD4720000-0x00007FFFD580E000-memory.dmp
                Filesize

                16.9MB

                Download
              • memory/4868-157-0x00007FFFD26D0000-0x00007FFFD45C5000-memory.dmp
                Filesize

                31.0MB

                Download
              • memory/4868-158-0x00007FFFB7600000-0x00007FFFB7610000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-159-0x00007FFFB7600000-0x00007FFFB7610000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-162-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-163-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-169-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-165-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-184-0x0000027225030000-0x0000027225036000-memory.dmp
                Filesize

                24KB

                Download
              • memory/4868-168-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-151-0x00007FFFB9D70000-0x00007FFFB9D80000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-149-0x00007FFFB9D70000-0x00007FFFB9D80000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4868-171-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-170-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-172-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-173-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-175-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-174-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-176-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-177-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-178-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-179-0x0000027225030000-0x0000027225032000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4868-180-0x0000027225030000-0x0000027225034000-memory.dmp
                Filesize

                16KB

                Download
              • memory/4868-181-0x0000027225030000-0x0000027225036000-memory.dmp
                Filesize

                24KB

                Download
              • memory/4868-182-0x0000027225030000-0x0000027225036000-memory.dmp
                Filesize

                24KB

                Download
              • memory/4868-183-0x0000027225030000-0x0000027225036000-memory.dmp
                Filesize

                24KB

                Download
              • memory/5020-146-0x00000203F9D70000-0x00000203F9D80000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5020-148-0x00000203FA9D0000-0x00000203FA9D4000-memory.dmp
                Filesize

                16KB

                Download
              • memory/5020-147-0x00000203FA820000-0x00000203FA830000-memory.dmp
                Filesize

                64KB

                Download