Resubmissions

09-12-2021 18:02

211209-wmrwraeefm 10

09-12-2021 13:54

211209-q7h7fsdecm 10

07-12-2021 10:30

211207-mjt29sggaq 10

Analysis

  • max time kernel
    129s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    09-12-2021 18:02

General

  • Target

    inv856837915323.xlsb

  • Size

    79KB

  • MD5

    a8b05f0781be741710594ec8616540c7

  • SHA1

    fac6283173d33ac0ec42603afbf7c0af18bf7bee

  • SHA256

    30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e

  • SHA512

    907ce01a72b4cd2909f6647f4b555119ac03d52bafd06c10417e065c2653338f95fb491658a553137616e4cc5bb82f42df4eb8485c2435c7d20cf29e07bdac42

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inv856837915323.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process call create "explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:3760
  • C:\Windows\explorer.exe
    explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs
    1⤵
    • Process spawned unexpected child process
    PID:1460
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\IeVgaFSGRUxioNf.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\IeVgaFSGRUxioNf.vbs
    MD5

    b82665a44b5a93f559f6113a36014821

    SHA1

    0bcf4e4a4108a2441f0e6a3ad6ef6dab564495cf

    SHA256

    97fa2bd6c47708026aac44870d85307753405d520370d67eeedabffe91e032b0

    SHA512

    6bd18225dfe26b78ffa1910c34f397312d5698049abbf4d646b51966d6237c4afb39d6ba058ffb04e831b3bcc13e781146f681f6a9843cdf0c6e9d51d2fe27b7

  • memory/2724-115-0x00007FFB04400000-0x00007FFB04410000-memory.dmp
    Filesize

    64KB

  • memory/2724-116-0x00007FFB04400000-0x00007FFB04410000-memory.dmp
    Filesize

    64KB

  • memory/2724-117-0x00007FFB04400000-0x00007FFB04410000-memory.dmp
    Filesize

    64KB

  • memory/2724-118-0x00007FFB04400000-0x00007FFB04410000-memory.dmp
    Filesize

    64KB

  • memory/2724-119-0x000001FE153C0000-0x000001FE153C2000-memory.dmp
    Filesize

    8KB

  • memory/2724-120-0x000001FE153C0000-0x000001FE153C2000-memory.dmp
    Filesize

    8KB

  • memory/2724-121-0x00007FFB04400000-0x00007FFB04410000-memory.dmp
    Filesize

    64KB

  • memory/2724-122-0x000001FE153C0000-0x000001FE153C2000-memory.dmp
    Filesize

    8KB

  • memory/3676-278-0x0000000000000000-mapping.dmp
  • memory/3760-266-0x0000000000000000-mapping.dmp