Overview

overview

10

Static

static

8

Kiki

windows7_x64

10

Resubmissions

17-12-2020 18:31

201217-fxv9p8zbw6 10

06-10-2020 11:21

201006-tp1644sm8j 8

Analysis

  • max time kernel
    63s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-12-2020 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inv1535.xls

  • Size

    41KB

  • MD5

    a25f16b71feac96810800c7d281a93d8

  • SHA1

    e5d716e4d3687e79e99a70607bcbcec37ebfa73d

  • SHA256

    69ab644fb35bff52b9fb5b4d8cff404ea4269d01a0dc34ab7bac1fd9e353ef09

  • SHA512

    36e1890c5f269af77af20639048866267aec0d3d6a5184a35d89f7fd7c62a6406ea485801760b8301a8fcf73202c597499b061cb547f5ba37282b8be6c3c88bf

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://hacemosmarketingdigital.com.ar/6bbktc.php
xlm40.dropper

https://heimat-harz.com/zgwykq.php
xlm40.dropper

https://hgt.vaduni.vn/tjxxhk.php
xlm40.dropper

https://hoanggiang.tk/kgqbsf.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inv1535.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\System32\cmd.exe
      2⤵
      • Process spawned unexpected child process
      PID:1156
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\system32\reg.exe
        reg query HKCU\Software\Microsoft\Office\14.0\Excel\Security /v VBAWarnings
        3⤵
        • Modifies registry key
        PID:592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\R9SjPU.txt
    MD5

    27e2e68a9c88a4d1b9c7003f93382589

    SHA1

    922ee44627d6044eafe5ad3cd4c94eb1e35be049

    SHA256

    d8541ef8691e913c8a6c794cfef8cc608bcce7fdbe677e22d1921701edbb8c04

    SHA512

    8a0c4efa26bdb0114f010a5c1130f20fc80c6aa59d545473d285a226e9963a7fea8ad1314fbbfae132859c256b8690f0fd1751473fe08014f582164a61d880c5

    Download Submit

  • memory/592-4-0x0000000000000000-mapping.dmp

    Download

  • memory/1156-2-0x0000000000000000-mapping.dmp

    Download

  • memory/1328-6-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1840-3-0x0000000000000000-mapping.dmp

    Download