Overview

overview

8

Static

static

8

39831.xls

windows7_x64

1

39831.xls

windows10_x64

1

Resubmissions

04-03-2021 08:52

210304-j75tzr3r6n 8

04-03-2021 08:48

210304-m8yqkl1awa 8

04-03-2021 08:46

210304-bb9saj67xx 8

04-03-2021 08:07

210304-s65gytp48n 8

04-03-2021 08:00

210304-s4fe9phywa 8

04-03-2021 07:58

210304-7fges7mren 8

01-03-2021 22:43

210301-7y8wr7t7jj 8

01-03-2021 22:40

210301-nyl6dpb96e 8

01-03-2021 21:40

210301-qmk2grykva 10

01-03-2021 16:58

210301-2aqemcsxcn 8

Analysis

  • max time kernel
    59s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-03-2021 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39831.xls

  • Size

    58KB

  • MD5

    b5487815da8e8e15cfa3d2946f4b7132

  • SHA1

    3278e15e1761100b6e9bb98b2351594aebd3805d

  • SHA256

    409c0fdd23e87d2181aed6a283d83cdeaa1b7fbb685df01b5358febb0d09c8b8

  • SHA512

    8f70813984c0e10b37cc6f256d30dbc9648a07124e0771ba8d701f2eb3457fa57a19105ace52adb3b9e32ee9aaf6272e6fea32c00b1374fb54e1c984832d22c0

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\39831.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1724
  • C:\Windows\system32\verclsid.exe
    "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
    1⤵
      PID:1376
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\AppData\Local\Temp\087623607\zmstage.exe
        zmstage.exe
        2⤵
          PID:1544
        • C:\Users\Admin\AppData\Local\Temp\087623607\zmstage.exe
          zmstage.exe /?
          2⤵
            PID:308
          • C:\Users\Admin\AppData\Local\Temp\087623607\zmstage.exe
            zmstage.exe
            2⤵
              PID:1556
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe"
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1716

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/308-10-0x0000000000000000-mapping.dmp
            Download
          • memory/308-13-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/308-12-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/1376-5-0x000007FEFC601000-0x000007FEFC603000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1544-6-0x0000000000000000-mapping.dmp
            Download
          • memory/1544-7-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/1544-8-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/1544-9-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/1556-14-0x0000000000000000-mapping.dmp
            Download
          • memory/1556-16-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/1556-17-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/1716-19-0x0000000002B80000-0x0000000002B81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1724-2-0x000000002F261000-0x000000002F264000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1724-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1724-3-0x0000000071C61000-0x0000000071C63000-memory.dmp
            Filesize

            8KB

            Download