Overview

overview

10

Static

static

8

Invoice-59...4.xlsb

windows7_x64

10

Invoice-59...4.xlsb

windows10_x64

10

Resubmissions

09-12-2021 18:02

211209-wmyz3aeefp 10

09-12-2021 13:52

211209-q6fpyadeck 10

18-10-2021 09:36

211018-lkztgaecbm 10

04-10-2021 17:53

211004-wgpjfaggb4 10

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-12-2021 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice-5959498320211004.xlsb

  • Size

    132KB

  • MD5

    887bc475305003bdc34e671a2f3bd080

  • SHA1

    7625f787be7479bf54addeff0ce7107cf0f59f23

  • SHA256

    7e0b4b26bafd471703fac1db25b24936230aecad95732e66420184d717a111ee

  • SHA512

    efb52e8c1fdf6e7cbc80b951220e25c78be0aad5c24b732696784b9b4d5d2c7a284df11fb0f524f64fa3f39a887069599c91f5233062d2aa8c01617104dd9ccd

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice-5959498320211004.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic process call create 'mshta C:\ProgramData\vlEUL.rtf'
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
  • C:\Windows\system32\mshta.exe
    mshta C:\ProgramData\vlEUL.rtf
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\system32\mshta.exe
      mshta C:\\ProgramData\penchs.rtf
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\System32\Wbem\wmic.exe
        wmic process call create "rundll32.exe C:\\ProgramData\penchs.png HalGetVectorInput"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1896
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\\ProgramData\penchs.png HalGetVectorInput
    1⤵
    • Process spawned unexpected child process
    PID:1160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1776-53-0x000000002FB31000-0x000000002FB34000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1776-54-0x0000000071B41000-0x0000000071B43000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1776-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1776-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download