Analysis
-
max time kernel
157s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
27-01-2023 13:10
General
-
Target
10ff7959558189167db85dd91f6741befe3b5505c6caddfd259c4e3e864c1056.xls
-
Size
468KB
-
MD5
54a0857ef1b0d0833d4f8d907b6586a7
-
SHA1
b7133b4c386b415ecc3897eff44f424d9f079575
-
SHA256
10ff7959558189167db85dd91f6741befe3b5505c6caddfd259c4e3e864c1056
-
SHA512
89981ba0e4f410e1ac63117be255b6490c518304d0fd9c93c1ef25048c545d32e5dd3e420f5c18de84a5d70f7b86def4c41fffe3f98809469080f8852ac659c5
-
SSDEEP
6144:uh0k5eq1h0k5eqnh0k5eO6h0k5eq7UZ+RwPONXoRjDhIcp0fDlavx+W26nA4W6r6:uykdykvykeykf4MYyqk5q8
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
-
Detects Smokeloader packer 4 IoCs
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\10ff7959558189167db85dd91f6741befe3b5505c6caddfd259c4e3e864c1056.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\vbc.exeC:\Users\Public\vbc.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeFilesize
24KB
MD528cfc00452c4e3e6c0082fdca3c520fc
SHA11260166c856aee0225371c7ab269f3a228cf8fb5
SHA25693b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e
SHA5128413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8
-
C:\Users\Public\vbc.exeFilesize
24KB
MD528cfc00452c4e3e6c0082fdca3c520fc
SHA11260166c856aee0225371c7ab269f3a228cf8fb5
SHA25693b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e
SHA5128413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8
-
C:\Users\Public\vbc.exeFilesize
24KB
MD528cfc00452c4e3e6c0082fdca3c520fc
SHA11260166c856aee0225371c7ab269f3a228cf8fb5
SHA25693b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e
SHA5128413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8
-
\Users\Public\vbc.exeFilesize
24KB
MD528cfc00452c4e3e6c0082fdca3c520fc
SHA11260166c856aee0225371c7ab269f3a228cf8fb5
SHA25693b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e
SHA5128413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8
-
memory/596-79-0x0000000000402EF0-mapping.dmp
-
memory/596-75-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/596-83-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/596-82-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/596-78-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/596-76-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/976-67-0x0000000000000000-mapping.dmp
-
memory/976-70-0x0000000067180000-0x000000006772B000-memory.dmpFilesize
5.7MB
-
memory/976-71-0x0000000004BA0000-0x0000000004E72000-memory.dmpFilesize
2.8MB
-
memory/976-72-0x0000000067180000-0x000000006772B000-memory.dmpFilesize
5.7MB
-
memory/976-73-0x0000000067180000-0x000000006772B000-memory.dmpFilesize
5.7MB
-
memory/1236-86-0x000007FEF6050000-0x000007FEF6193000-memory.dmpFilesize
1.3MB
-
memory/1236-87-0x000007FF33470000-0x000007FF3347A000-memory.dmpFilesize
40KB
-
memory/1476-64-0x0000000000EB0000-0x0000000000EBC000-memory.dmpFilesize
48KB
-
memory/1476-66-0x0000000006120000-0x0000000006376000-memory.dmpFilesize
2.3MB
-
memory/1476-61-0x0000000000000000-mapping.dmp
-
memory/1476-74-0x0000000004E10000-0x0000000004E56000-memory.dmpFilesize
280KB
-
memory/1928-58-0x0000000074AD1000-0x0000000074AD3000-memory.dmpFilesize
8KB
-
memory/1928-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-54-0x000000002F0B1000-0x000000002F0B4000-memory.dmpFilesize
12KB
-
memory/1928-55-0x0000000070D81000-0x0000000070D83000-memory.dmpFilesize
8KB
-
memory/1928-57-0x0000000071D6D000-0x0000000071D78000-memory.dmpFilesize
44KB
-
memory/1928-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-85-0x0000000071D6D000-0x0000000071D78000-memory.dmpFilesize
44KB
-
memory/1928-69-0x0000000071D6D000-0x0000000071D78000-memory.dmpFilesize
44KB