Overview

overview

8

Static

static

8

Doc_3744.xls

windows7_x64

1

Doc_3744.xls

windows10_x64

1

Resubmissions

28-02-2021 17:05

210228-pjgnbjwth2 8

27-02-2021 12:13

210227-bpkha5za7s 8

27-02-2021 04:19

210227-7c1xkzg346 10

27-02-2021 03:32

210227-2xwvzgykxs 8

27-02-2021 03:29

210227-qgrlcph782 8

27-02-2021 03:16

210227-k82qfdjlve 8

27-02-2021 02:45

210227-mjxh7bv4wj 8

27-02-2021 02:23

210227-w6qfkjy5ha 8

27-02-2021 02:06

210227-r385kvgs32 8

26-02-2021 23:10

210226-yds8gthfax 8

Analysis

  • max time kernel
    120s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-02-2021 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc_3744.xls

  • Size

    62KB

  • MD5

    47e22049644647ee854cedfe077156e7

  • SHA1

    20ad9f47616a8272dece2ec1039a88c09412c97c

  • SHA256

    5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a

  • SHA512

    1eeb87173378f4d0e157ee42f5b28e48ff84a35b44d71f004a6180cc2bdbc09e45c071adc7ab0a94c75071fbe3ee13b939ee8cb216b6f2e06c9c24ca34dbbf1b

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Modifies registry class 56 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_3744.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4772
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\system32\reg.exe
      reg export HKCU c:\users\admin\Documents\1.txt
      2⤵
        PID:2856
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        PID:232
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="232.0.1484057031\1705473199" -parentBuildID 20200403170909 -prefsHandle 1504 -prefMapHandle 1476 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 232 "\\.\pipe\gecko-crash-server-pipe.232" 1600 gpu
          3⤵
            PID:4532
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4264 CREDAT:82945 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:4136
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        1⤵
          PID:2308

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
          MD5

          645278e32992298d7366e4e0ac9a360d

          SHA1

          14aa557d892ebdf5337e91b9b9ea8ba4e1ea7e50

          SHA256

          69f5ccba9de478a6e724aa9f26765151fa78b096ede32f599945cb192f61c1b4

          SHA512

          9b5922ca42eccbe5808ee4952e8978e6ec8d819db4a63f9283f560fea54bd01ad51dfc146e1238a067f45b5bfd3603fe43e81b850f35833a836d015c7720e024

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          MD5

          287448624c876ad9f10c94b9a4c88046

          SHA1

          988368e8881c6e4b02a9d2b64bf0f8951fe2347a

          SHA256

          912350454fdce792501156b813e58c4aa0e7404dda4ea1420d6369869e3579b0

          SHA512

          ce50d816bed7df110698cf8749653effb592c27e3ffa2ba4d4d8397529f8caa05f279060a2c6b6266a9684d6ec240fa286b936f22e189e9a475c660034783d65

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
          MD5

          2379d843b1338936d8a84ea2fb6bfb1c

          SHA1

          25a60550aa16c2f3c9686d60f732a7f1d72bfd13

          SHA256

          5f3bc0fb9a58f2110db411d98a6216022d8b9e30ed10dffdc2131bffd349f819

          SHA512

          e70ec5e5d92269cd09f6771d1a7f9e8d1bbf5315bb797cc5e7e4c81ba0afc205250bb40a901e0cfb6597ce01389b48b934349fc0df33c1d2c97b473d8bae21a1

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          MD5

          e01ca650dd293851e4a7604ee714e8e4

          SHA1

          5c3bbc2afc5f2ca3747035af7bb87ae473e89776

          SHA256

          b9bd00ed7fa4298274bd54d38b73d546dc23d97befd4e8e20b2e6e131fe087eb

          SHA512

          9d6e4e0698d9a9204dd529420608b197019178e8d4bcc915222a1b3600e97d7a7ad0eb0d9054e3097e5c240207358f1fd5a53809e71a71ba70f3dc58cbdab98d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CJ1EEGE5.cookie
          MD5

          c3c3a3bfccc5bb85e787fbfec210ac1f

          SHA1

          18abeddd81ab5632545f230ae7473a81aa25a89d

          SHA256

          dc21b3c6586be934c923b8a78040fb07bca2d6a05da9e436b94f22952118df74

          SHA512

          ab0f9af1ad841bbee1700219fecea80369823bf96689eeda6c0bdfd0bf89475e528c6f2771604c72542155c67f13cd2ea1ce240a38c531f8b59b5bc5ff1cfb5c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EZ5XWKEC.cookie
          MD5

          e6f65468748a2b11bc1ab262f12ed343

          SHA1

          90647f9604612bcb36c94e7d1901f18665047d0a

          SHA256

          0104dc6081d6ae08c374fd033cb1c443770530466cbdc5b83a4412e28446faf9

          SHA512

          a6aaeeb6949db50329565117b703b25e7feaa9c5af20e0308e36b63eeb61307dc1760e85cff1d8b8f62800f2b498e59a4cedcd9d3babfc4be4627c230ec41190

          Download Submit
        • C:\Users\Admin\Documents\1.txt
          MD5

          598f6882a61389ad662ce16ebc233a49

          SHA1

          01a0b042bc2afbaab76669d76cc002294fd8893d

          SHA256

          41125b5e5ac565514db7498d34fab190e42b13f12af99b34c4e94666039e1343

          SHA512

          6e5c38a2483c377c5e174fcbc2513d048bc98cc03b2b777de6a3e1eb6862dc13e7e9e355e96eab62165c4935dea8830a6f2ab9623cd671428657581a947b9f7f

          Download Submit
        • memory/232-8-0x0000000000000000-mapping.dmp
          Download
        • memory/2856-7-0x0000000000000000-mapping.dmp
          Download
        • memory/4136-81-0x0000000000000000-mapping.dmp
          Download
        • memory/4532-233-0x0000000000000000-mapping.dmp
          Download
        • memory/4772-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4772-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4772-5-0x00007FFBE4360000-0x00007FFBE4997000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4772-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4772-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp
          Filesize

          64KB

          Download