Overview

overview

10

Static

static

8

inv856837915323.xlsb

windows7_x64

10

inv856837915323.xlsb

windows10_x64

10

Resubmissions

09-12-2021 18:02

211209-wmrwraeefm 10

09-12-2021 13:54

211209-q7h7fsdecm 10

07-12-2021 10:30

211207-mjt29sggaq 10

Analysis

  • max time kernel
    123s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    09-12-2021 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inv856837915323.xlsb

  • Size

    79KB

  • MD5

    a8b05f0781be741710594ec8616540c7

  • SHA1

    fac6283173d33ac0ec42603afbf7c0af18bf7bee

  • SHA256

    30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e

  • SHA512

    907ce01a72b4cd2909f6647f4b555119ac03d52bafd06c10417e065c2653338f95fb491658a553137616e4cc5bb82f42df4eb8485c2435c7d20cf29e07bdac42

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inv856837915323.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process call create "explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
  • C:\Windows\explorer.exe
    explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs
    1⤵
    • Process spawned unexpected child process
    PID:2276
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\IeVgaFSGRUxioNf.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2732-115-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2732-116-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2732-117-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2732-118-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2732-119-0x0000020140CF0000-0x0000020140CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2732-120-0x0000020140CF0000-0x0000020140CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2732-121-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2732-122-0x0000020140CF0000-0x0000020140CF2000-memory.dmp

    Filesize

    8KB

    Download