Overview

overview

10

Static

static

8

f8f89535dd...2.xlsm

windows7_x64

10

f8f89535dd...2.xlsm

windows10-2004_x64

8

Analysis

  • max time kernel
    33s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8f89535dd95260ce451b482a3927c05717e02b072db08f91e9c1b1d61e2ae12.xlsm

  • Size

    388KB

  • MD5

    b117106e2dfba4ba924274aeea50f789

  • SHA1

    76bb034d2e6cfe4ae6a585626cccc535b4a3c18c

  • SHA256

    f8f89535dd95260ce451b482a3927c05717e02b072db08f91e9c1b1d61e2ae12

  • SHA512

    e31c3af71b2d40554084c0123f8b6d9de9a8cc11d2b2ba5ac3893ace2d507d9e27af60eda596c6c2fea9b1a8d5355eb183628e9473823f7bffbb2c967cd31778

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f8f89535dd95260ce451b482a3927c05717e02b072db08f91e9c1b1d61e2ae12.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4212
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe cb4c4cf0e57f4c1db09665a13dfa00f8 jW5FwuBBW0STXcRNHPSlVw.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2220
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3068-137-0x0000022049730000-0x0000022049740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-138-0x0000022049790000-0x00000220497A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-139-0x000002204C4B0000-0x000002204C4B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4212-130-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4212-131-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4212-132-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4212-133-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4212-134-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4212-135-0x00007FFE5FF80000-0x00007FFE5FF90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4212-136-0x00007FFE5FF80000-0x00007FFE5FF90000-memory.dmp

    Filesize

    64KB

    Download