Overview

overview

10

Static

static

8

PQ_7498.xls

windows7_x64

10

PQ_7498.xls

windows10_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PQ_7498.xls

  • Size

    33KB

  • MD5

    20ce34e6dfd1f17d5e1e8564167c23bd

  • SHA1

    984045d9a670b781f4712611c87cc191380ef6f9

  • SHA256

    f9adf499bc16bfd096e00bc59c3233f022dec20c20440100d56e58610e4aded3

  • SHA512

    ef7fddfbbdb40f6b75d838397cad454a51822cbfec5e2dfbb8401784c518de74e9d707f9c44db2054be208735dba903035f1b75d7384fec5dc4c78275494514b

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://indiamedicalshow.com/visitors.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • JavaScript code in executable 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PQ_7498.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\KsB.txt,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:1980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\KsB.txt
    MD5

    4e5ce89c3b918418f0ba2877ddbac681

    SHA1

    836a131d71181eaeef36a5335433401aa9d5336e

    SHA256

    785ecbcaf597a8ac22c6a80a3c11f6927dfe6b6bceff2fa8a121df2484b20e33

    SHA512

    9724b5f2d225e1eaa8b591794ffb16a4fb79497eaf9b9040637ca5174ca8fb91f8406f9fc1941e9fd379e8bcd8c742196f8c66e39d871c71ab1715d508eecaec

    Download Submit
  • memory/968-5-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1864-2-0x000000002FBA1000-0x000000002FBA4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1864-3-0x0000000071201000-0x0000000071203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1864-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1980-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-7-0x00000000760B1000-0x00000000760B3000-memory.dmp
    Filesize

    8KB

    Download