Overview

overview

10

Static

static

8

3bca199764...b.xlsm

windows7_x64

10

3bca199764...b.xlsm

windows10-2004_x64

10

Analysis

  • max time kernel
    4294217s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    29-03-2022 23:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bca1997648eb70fd53abcfd9f5b1880b58daea9aa4c8b434790ebb81ace182b.xlsm

  • Size

    1.6MB

  • MD5

    5fab2a427175d69f010acfd2caff68b0

  • SHA1

    69657f55e9fdc505a3681c4e5df680aecb89a780

  • SHA256

    3bca1997648eb70fd53abcfd9f5b1880b58daea9aa4c8b434790ebb81ace182b

  • SHA512

    1cf9b4ee4fb60906198e18a182bce4622bd6c5bef8ef32bedb38442c75c7966cc5ba705730dc3f3cc07dfb4cf60f9b7e70daa3c6975cca8cd405f4ac84e666ad

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3bca1997648eb70fd53abcfd9f5b1880b58daea9aa4c8b434790ebb81ace182b.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1920
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "& ($env:TEMP + \"\SPD.exe\") \"[email protected]\" \"Nhh2H5urwHv0\" \"https://finansco.sharepoint.com/Delte dokumenter/Finansco Gruppen Fellesmappe/Modellporteføljer/\" \"Produktark MPF Kopi.xlsx\""
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Users\Admin\AppData\Local\Temp\SPD.exe
          "C:\Users\Admin\AppData\Local\Temp\SPD.exe" [email protected] Nhh2H5urwHv0 "https://finansco.sharepoint.com/Delte dokumenter/Finansco Gruppen Fellesmappe/Modellporteføljer/" "Produktark MPF Kopi.xlsx"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:540

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit
    • memory/540-72-0x00000000003D0000-0x000000000041C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/540-71-0x000000001AF10000-0x000000001AF12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/540-70-0x0000000001380000-0x00000000013CE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/540-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-62-0x00000000755A1000-0x00000000755A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1612-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-69-0x0000000069EB0000-0x000000006A45B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1616-54-0x000000002FD31000-0x000000002FD34000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1616-60-0x00000000049A0000-0x00000000049A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1616-57-0x000000007249D000-0x00000000724A8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1616-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1616-55-0x00000000714B1000-0x00000000714B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1920-59-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1920-58-0x0000000000000000-mapping.dmp
      Download