Overview

overview

10

Static

static

8

48005.xls

windows7_x64

10

48005.xls

windows10_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48005.xls

  • Size

    80KB

  • MD5

    e0fcfaac8d385a1bcab28b834b9af2a0

  • SHA1

    fcbbbb624a8903e4d4e69081fc1f1ccbd0958405

  • SHA256

    aba105fe8ad27d96d744c4f5d2387feef994420bc55db7df3307c33cff080e30

  • SHA512

    a6514afec518f1795b24a1b98e1d75ded765a46a5671c3ec3d528849ee6cf57c0fa98c4264a67cc9c029be6a445d7fc6c879d07619b70a7f9d8a0626a4f84d90

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\48005.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\System32\certutil.exe" -decodehex C:\Users\Public\3094.txt C:\Users\Public\3094.dll
      2⤵
      • Process spawned unexpected child process
      PID:1080
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Public\3094.dll,D
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      PID:332

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\3094.dll
    MD5

    09aa345445d3b9770f913be946a56738

    SHA1

    2c745814ef7f3e1cefe6e468532422c5d0071aeb

    SHA256

    37998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77

    SHA512

    054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9

    Download Submit
  • C:\Users\Public\3094.txt
    MD5

    652620d75f7d14f0b5fb7adaef835c11

    SHA1

    be88d1a4be7db5170f26cb3068783cb78ad92cf4

    SHA256

    c8f9a6c0d639d9dbe1c432ca1415fa1129f7c1cda3e8febb4dc961763039a774

    SHA512

    7ee326b9621285e412811cd01e829e789a89d8916cd39bb45eed92b82615e8595e704c30cfc674778f929249b387a510e0996c105e81eec56670871ca9da7f79

    Download Submit
  • \Users\Public\3094.dll
    MD5

    09aa345445d3b9770f913be946a56738

    SHA1

    2c745814ef7f3e1cefe6e468532422c5d0071aeb

    SHA256

    37998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77

    SHA512

    054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9

    Download Submit
  • \Users\Public\3094.dll
    MD5

    09aa345445d3b9770f913be946a56738

    SHA1

    2c745814ef7f3e1cefe6e468532422c5d0071aeb

    SHA256

    37998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77

    SHA512

    054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9

    Download Submit
  • \Users\Public\3094.dll
    MD5

    09aa345445d3b9770f913be946a56738

    SHA1

    2c745814ef7f3e1cefe6e468532422c5d0071aeb

    SHA256

    37998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77

    SHA512

    054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9

    Download Submit
  • \Users\Public\3094.dll
    MD5

    09aa345445d3b9770f913be946a56738

    SHA1

    2c745814ef7f3e1cefe6e468532422c5d0071aeb

    SHA256

    37998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77

    SHA512

    054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9

    Download Submit
  • memory/332-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1080-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1616-2-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
    Filesize

    2.5MB

    Download