Overview

overview

10

Static

static

8

e21010888e...a.xlsm

windows7_x64

10

e21010888e...a.xlsm

windows10-2004_x64

8

Analysis

  • max time kernel
    38s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e21010888e225acdde63d87ce30b68ab61c12ee91400820d3c151e0f0daacd1a.xlsm

  • Size

    329KB

  • MD5

    8ade3b8c742363c77c3ed28e604f1fe8

  • SHA1

    c2bec21e2069d78792b15ac6e14f1ad1c7488870

  • SHA256

    e21010888e225acdde63d87ce30b68ab61c12ee91400820d3c151e0f0daacd1a

  • SHA512

    9312a754f725338c35faa890bf95410b9108e3b79ca5af9939a20158132c81480e5224b9a672bf82996a9b25810233977035c89a934430330dd53ca5ab955612

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e21010888e225acdde63d87ce30b68ab61c12ee91400820d3c151e0f0daacd1a.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4072
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 335d0c19940c43dbb80056fd0bdd82dc ZaF5+7XqpEqckbHRBUmEGQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1308
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1524-137-0x00000216905A0000-0x00000216905B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1524-144-0x0000021693980000-0x0000021693984000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4072-130-0x00007FFD1AE30000-0x00007FFD1AE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-131-0x00007FFD1AE30000-0x00007FFD1AE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-132-0x00007FFD1AE30000-0x00007FFD1AE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-133-0x00007FFD1AE30000-0x00007FFD1AE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-134-0x00007FFD1AE30000-0x00007FFD1AE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-135-0x00007FFD18DD0000-0x00007FFD18DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-136-0x00007FFD18DD0000-0x00007FFD18DE0000-memory.dmp

    Filesize

    64KB

    Download