Overview

overview

5

Static

static

PYMT_REM_A...3.xlsx

windows10_x64

5

Resubmissions

19-10-2021 14:25

211019-rrls3sgab7 1

19-10-2021 13:57

211019-q9bkdsggfr 5

Analysis

  • max time kernel
    85s
  • max time network
    83s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    19-10-2021 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PYMT_REM_ADV_98213.xlsx

  • Size

    72KB

  • MD5

    81fa87f1be9eba0b544bbcb9ef83da92

  • SHA1

    ca142b673511a23c83b75d1a88be63d917db6bf5

  • SHA256

    f59ec845137bfe743776440971d1304dbe17761834dcf3c7d6766b40757e2caf

  • SHA512

    f9ddf1e8d19ee88f431151cc08bb583ce75fc74f13505714b509a8b05ebb731fc387dc38cc2098017f2e2f82396784c29d8dcfd8ff3dcfa1fcb2eb0821c897f0

Score
5/10
microsoftphishing

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Drops file in Windows directory 7 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PYMT_REM_ADV_98213.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2492
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3948
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2092
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2520
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3216
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3520
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:992
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    PID:2484
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
      PID:2704
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4208
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4472

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
      MD5

      e101020eca22e27437e01a7998d91416

      SHA1

      1daa709a7137e59323372136cdab004bde071c0b

      SHA256

      7ed0fb81194c78947af0ae8bce3fffbaed767b81c8a1aa2fff9ca49aad15b1c2

      SHA512

      d8fb95d15ec3a520dae4aff85c2785ad0e716a4e6baf99a2e85ac01ae91ea4f98a74721bcdf03addf33bd03da533456ff8d53a71fdc11f1ce481b79f0b1546fe

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
      MD5

      c2b7d019ef7eb8d1cebec10b8fc37b42

      SHA1

      2232a869a17b1951fa6bc0aa581ca707d6d68a40

      SHA256

      5e9c87aa687de69dbc2d68dbf5163691895e6b660df6f0314d38310c42f4c6f6

      SHA512

      6550932346b547f08d0e87448fa093e4ef6d79075f8910375f702c75bdd05382b62481b0986058570aefa42ba198c3fbd81fbe69b337abfe5e05faf817ba0e45

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
      MD5

      0db264b38ac3c5f6c140ba120a7fe72f

      SHA1

      51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

      SHA256

      2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

      SHA512

      3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
      MD5

      d656c00d58049b223db6ece84bce0781

      SHA1

      c6e08ee8caa6ffea98d7089e363a8db60baa1de4

      SHA256

      40963f3d9c08703a60626c44f59a8187eae7f96ad7759f8923a446104e3e7d7b

      SHA512

      974a80d87eb301d2c78ca2d31bdaebf1331c3df053691bb5d715fcf0f783e95871b017edbc4faaef10ba473891288ee10a4aa74f12570111eb7a663d1b0fc621

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
      MD5

      8e22a6aaddc36227745fc654f153b0af

      SHA1

      16c5fa627d0ba5427ceeff82fb46cb3164f6f82c

      SHA256

      f1fd9c813f2a0f4d3472be73df017f26b10dc5be397cd201da2f001fbfc87d15

      SHA512

      52e541bed0afd30320f3b698b2504409d366dca2c8b3c802e16ec277c311b2a7fd74582f89f673e3a10006a1a1a8b4cf27a71574aa9200c6b8d3e1ef395a1e04

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
      MD5

      3c5197886b43d4bf00313dcaf0397b10

      SHA1

      31f580d7a1a9a77543fa6b7006b195cc09597dea

      SHA256

      a6c3f1059ddd06b6398e428c8904ed24d757387efb7850a2cf4d0ec69800b328

      SHA512

      5031888f0f6f9385071b628c3a1342a7a7507b7010379fde82cb3211c0e0116a52467d19ff5a84eb4c097b5ebf0c0abfc6d4f9259a71906e282549f6d32e59a5

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
      MD5

      ea340aef62037bd5b7cce21da0599b94

      SHA1

      fd09259c796c13661dbb91daacaaddde998f5ab6

      SHA256

      e741ae6547c5b0f7e216c2edc5998c097a961fdd9128decc250d3238dd95554e

      SHA512

      95abe1897f56449f75473fe200f115a286c8e62efdeebbdebfac2828af88d61a816d1d33450734629e07e329e7c47d1f06f308c162d9828bd106e36b6aaa1b1b

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{5F0069FC-96AD-4BAE-8B47-BD29CC5519D2}.dat
      MD5

      f8c419d35a3db41426d5752e93d9925f

      SHA1

      f9a4f2233ae5d2783e445330396401a514dacb86

      SHA256

      904706f30d2376c21bbf04f60f6038d335da194b0e38cab447826a03a1312f30

      SHA512

      6d82354efb6f131a484b829dd138715475242397158fdf0be68761019a045f9492a11af8af353f324a41a121ec544c75c4a94f870d06298197f1cdc3d374b00f

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{0613DC72-53FD-4577-A150-F558A9690569}.dat
      MD5

      34776ae93789c897ae4e93e0eb83eda6

      SHA1

      289c0a494c46cd94cc9191531e42ef950de1a518

      SHA256

      6c44da66145aae865e3453876863e9a69b481fa464732696768c8f2c1d9c9010

      SHA512

      20a24e56232d61b9ea2cf20617e7891f57aa3cbfff1c9ace0f16ad1a93cbc8a2b4645d6dd2998a6d0b8ec8d4ce99574632164c80ee84151b66f829967c549252

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.pri
      MD5

      0db264b38ac3c5f6c140ba120a7fe72f

      SHA1

      51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

      SHA256

      2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

      SHA512

      3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

      Download Submit
    • memory/2492-119-0x000001C66A710000-0x000001C66A712000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2492-120-0x000001C66A710000-0x000001C66A712000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2492-115-0x00007FFF6C2F0000-0x00007FFF6C300000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2492-122-0x000001C66A710000-0x000001C66A712000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2492-121-0x00007FFF6C2F0000-0x00007FFF6C300000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2492-118-0x00007FFF6C2F0000-0x00007FFF6C300000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2492-117-0x00007FFF6C2F0000-0x00007FFF6C300000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2492-116-0x00007FFF6C2F0000-0x00007FFF6C300000-memory.dmp
      Filesize

      64KB

      Download