Overview

overview

10

Static

static

8

Kiki

windows7_x64

10

Resubmissions

17/12/2020, 18:31

201217-fxv9p8zbw6 10

06/10/2020, 11:21

201006-tp1644sm8j 8

Analysis

  • max time kernel
    63s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17/12/2020, 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inv1535.xls

  • Size

    41KB

  • MD5

    a25f16b71feac96810800c7d281a93d8

  • SHA1

    e5d716e4d3687e79e99a70607bcbcec37ebfa73d

  • SHA256

    69ab644fb35bff52b9fb5b4d8cff404ea4269d01a0dc34ab7bac1fd9e353ef09

  • SHA512

    36e1890c5f269af77af20639048866267aec0d3d6a5184a35d89f7fd7c62a6406ea485801760b8301a8fcf73202c597499b061cb547f5ba37282b8be6c3c88bf

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://hacemosmarketingdigital.com.ar/6bbktc.php
xlm40.dropper

https://heimat-harz.com/zgwykq.php
xlm40.dropper

https://hgt.vaduni.vn/tjxxhk.php
xlm40.dropper

https://hoanggiang.tk/kgqbsf.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inv1535.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\System32\cmd.exe
      2⤵
      • Process spawned unexpected child process
      PID:1156
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\system32\reg.exe
        reg query HKCU\Software\Microsoft\Office\14.0\Excel\Security /v VBAWarnings
        3⤵
        • Modifies registry key
        PID:592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1328-6-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp

    Filesize

    2.5MB

    Download