Overview

overview

10

Static

static

8

Document10...21.xls

windows7_x64

10

Document10...21.xls

windows10_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-02-2021 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document1094680387_02012021.xls

  • Size

    63KB

  • MD5

    9423ee9775707d51960e0eac95b3f6cc

  • SHA1

    debc0defc997fde77a2f0cee9b3b1fcbed54ea91

  • SHA256

    7034e21128da9ce58c2d5249d3fd73dd766cf90437fa52f79faa50098f359634

  • SHA512

    0cff3519c5453bdeb13201849c571cbb142ed6780c2e6cae572104904af1190ff4d4e068ff0109953745b153fc219c618519318cadd4dcac300b3d280643bc53

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document1094680387_02012021.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\MORI.BAST,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\MORI.BAST
    MD5

    e26ee80220371f5321384cd23c4235c4

    SHA1

    330b69b8e3463651a683419cdcdeb35f79650094

    SHA256

    b0817350c3c25ecf4cfbe28c8839e4c09f3a5b813c96ef62861b707ba2ae1742

    SHA512

    1f486c027cf5fe3efeb9e5601ab43e2201866f28db9226d02cb2727cb29e3b450d171cdd7454982d162dcc495141b86f2c28502678d9cfaa484f666ce116fb5b

    Download Submit
  • memory/668-6-0x0000000000000000-mapping.dmp
    Download
  • memory/668-7-0x0000000076071000-0x0000000076073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/776-2-0x000000002FBC1000-0x000000002FBC4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/776-3-0x0000000071371000-0x0000000071373000-memory.dmp
    Filesize

    8KB

    Download
  • memory/776-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1780-5-0x000007FEF74B0000-0x000007FEF772A000-memory.dmp
    Filesize

    2.5MB

    Download