Overview

overview

10

Static

static

8

test

windows7_x64

10

WIN7(10)

windows7_x64

10

Resubmissions

19-01-2021 16:47

210119-x991whxbve 10

19-01-2021 16:35

210119-4q8sxtj67a 8

Analysis

  • max time kernel
    1744s
  • max time network
    1708s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PQ_7498.xls

  • Size

    33KB

  • MD5

    20ce34e6dfd1f17d5e1e8564167c23bd

  • SHA1

    984045d9a670b781f4712611c87cc191380ef6f9

  • SHA256

    f9adf499bc16bfd096e00bc59c3233f022dec20c20440100d56e58610e4aded3

  • SHA512

    ef7fddfbbdb40f6b75d838397cad454a51822cbfec5e2dfbb8401784c518de74e9d707f9c44db2054be208735dba903035f1b75d7384fec5dc4c78275494514b

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://indiamedicalshow.com/visitors.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • JavaScript code in executable 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PQ_7498.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\KsB.txt,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:1552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\KsB.txt
    MD5

    3704482d1d5baa2cf2b631b61e0f7935

    SHA1

    d628730532948cddbdde774ebc6508cafd4d2423

    SHA256

    15c07d4972a68c54cc2d18505215bb2c5485b3961e2cf9a8e917078a1bca8097

    SHA512

    f0455d6dbb90a431cbac16ebf17762e064b91e2e2bf1460a8d869bd10edecc47b146f781abb3876087caf9ed40b4ac47096b80fca05cb9d3994ba6a65263564c

    Download Submit

  • memory/1552-6-0x0000000000000000-mapping.dmp

    Download

  • memory/1552-7-0x0000000076241000-0x0000000076243000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1812-2-0x000000002FA31000-0x000000002FA34000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1812-3-0x0000000071241000-0x0000000071243000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1812-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1896-5-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp

    Filesize

    2.5MB

    Download