Overview

overview

10

Static

static

8

Doc_3744.xls

windows7_x64

10

Doc_3744.xls

windows10_x64

1

Resubmissions

28-02-2021 17:05

210228-pjgnbjwth2 8

27-02-2021 12:13

210227-bpkha5za7s 8

27-02-2021 04:19

210227-7c1xkzg346 10

27-02-2021 03:32

210227-2xwvzgykxs 8

27-02-2021 03:29

210227-qgrlcph782 8

27-02-2021 03:16

210227-k82qfdjlve 8

27-02-2021 02:45

210227-mjxh7bv4wj 8

27-02-2021 02:23

210227-w6qfkjy5ha 8

27-02-2021 02:06

210227-r385kvgs32 8

26-02-2021 23:10

210226-yds8gthfax 8

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    27-02-2021 04:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc_3744.xls

  • Size

    62KB

  • MD5

    47e22049644647ee854cedfe077156e7

  • SHA1

    20ad9f47616a8272dece2ec1039a88c09412c97c

  • SHA256

    5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a

  • SHA512

    1eeb87173378f4d0e157ee42f5b28e48ff84a35b44d71f004a6180cc2bdbc09e45c071adc7ab0a94c75071fbe3ee13b939ee8cb216b6f2e06c9c24ca34dbbf1b

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://hrdgschool.com/logs.php

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes itself 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Doc_3744.xls
    1⤵
    • Deletes itself
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" EXPORT HKCU\Software\Microsoft\Office\14.0\Excel\Security C:\Users\Public\Documents\icSz4h.txt /y
      2⤵
      • Process spawned unexpected child process
      PID:948
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\f4myZ.txt,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:1712
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    4c74ef19c350acfdd9b596389b32fb41

    SHA1

    c350b4e038a8ab3b131dbc938838791250e37aca

    SHA256

    04ca75ec47c3c1d6bce7475c164ef7b3fe6ed51a922ed1a68bfdfb9bd80c27d1

    SHA512

    c9df5cefa32d99e54e67f5a2987494ccfa3a986c3770327b80958fa7202863c4cd5eece53a42141ff8d5a97352493aa5a307a0899d615b8784fd0c24b4b02035

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    bd0684495c6ed9ccbb74049d66528217

    SHA1

    6e3bf3a1d99f63d8d29960e1fa4fe6c6e68651e2

    SHA256

    2a6f6011c9c6143309f7dcb87cc327b4ce1e06f7851a6bbb964f534494f0fd81

    SHA512

    2be87bab5c8a4fb0e302ce485454dd3c16df32ea66f0436d36ce3b4abd8e68966f5428247dc54ec1de24c61e02d92685c2ba0fce21a05e2c0cee4c7977d93444

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    cea1bd5552791d4d5559bee4d519dcf6

    SHA1

    c7e477203ce1eb80f2ecec6987fed35ed4526581

    SHA256

    e7c7d9cd4bf6fb10e1883d737595a66bd755f05dfc9c44a6b27d83a5acd85338

    SHA512

    97174da3f2508adbc09abc1439d58219e3006ac40fb472a1cddeca3f80cf038dcc43e7873bb8c6eb2ab07b3e2affac60b013f3cbb5a8abfd01b22b31f2dcb278

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EU1VF8H1.txt
    MD5

    f650c5d884ff92acb8bc0acc9ccfcea9

    SHA1

    ac97dd517f414901fc43026e4d75d739de6b72b2

    SHA256

    96a9250cf2815986273c5efb23f976f319d02844ea8f3ae8157cff3936b727fa

    SHA512

    6dd60a350abeae41a9995740f1fd649932090b2038543d24ee1afb84ec604aaaafeb57a0534005f8b658fb986747349e095ca2e5aa10035b40e2a2ff278809d0

    Download Submit
  • C:\Users\Public\Documents\f4myZ.txt
    MD5

    27e959ba550fe6db4729f2783a8dc0fa

    SHA1

    1a35677258815466ef3650992e723572d7985d39

    SHA256

    25ece08ea2ab3a7e098acdfe8f0b838115b9c0205af9316a9566475aa3cba3ee

    SHA512

    3ad81b98ba87b797e6acba483525b4508e425c786c1191002ed7b41a77e1f49b80adeb86275d01006a270e974136f665b8a859fbe655dccc0e764f0295a72c1a

    Download Submit
  • C:\Users\Public\Documents\icSz4h.txt
    MD5

    0fe67c780f78b7bc159f5f9ad261bf72

    SHA1

    d4cabbdc62b8a26f3b4cd5ea74d11b77fd2275a9

    SHA256

    114df025f7114719c81f1cb34e00f17cf9a61e079e039aba127b100e4bb64c10

    SHA512

    b7e3f16a65443d0bd70b7298877c337113c490f6faa26aa141c497680377d80878122bb916814cc847e5f3cafe135b1ac05213285ff053d61109a41cea3775e2

    Download Submit
  • memory/948-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1316-8-0x0000000004870000-0x0000000004871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1316-5-0x000007FEFC1C1000-0x000007FEFC1C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1524-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1604-2-0x000000002F2D1000-0x000000002F2D4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1604-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1604-3-0x00000000719C1000-0x00000000719C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1712-16-0x0000000000000000-mapping.dmp
    Download
  • memory/1712-17-0x0000000076341000-0x0000000076343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1716-6-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
    Filesize

    2.5MB

    Download