Overview

overview

10

Static

static

8

Debt-Detai...21.xls

windows7_x64

10

Debt-Detai...21.xls

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-03-2021 17:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Debt-Details-1318148499-03052021.xls

  • Size

    78KB

  • MD5

    e71d78a14a5f0a046e12ab09ff674533

  • SHA1

    e59eef89178ff2824777b7f5ca44e50950fff88e

  • SHA256

    903d82f687b952277d18912b1492339944d8632c139329ba5a32c4b6b47362bf

  • SHA512

    2b66cfad8c841373868ca9274c1ce8ed1f9a9666aacc8ae37256a628c9851e4b1a02579716b81f3408b8c5dfbf2e6d82ba4e7e219896dca41d5cfb1a39a969d5

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://kosherbansko.com/vozrhzftc/44260.7283011574.dat
xlm40.dropper

http://beautyhair.by/rkqhopvrb/44260.7283011574.dat
xlm40.dropper

http://trysaileggplants.com/xbbomazcknz/44260.7283011574.dat
xlm40.dropper

http://giftcard16.com/pghxph/44260.7283011574.dat
xlm40.dropper

http://www.ausfencing.org/jqikucbefrth/44260.7283011574.dat

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Debt-Details-1318148499-03052021.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\Vijaser.lasjr,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:524
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\Vijaser.lasjr1,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:1648
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\Vijaser.lasjr2,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:924
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\Vijaser.lasjr3,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:836
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\Vijaser.lasjr4,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/524-6-0x0000000000000000-mapping.dmp
    Download
  • memory/524-7-0x0000000075C61000-0x0000000075C63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/664-14-0x0000000000000000-mapping.dmp
    Download
  • memory/776-2-0x000000002F5C1000-0x000000002F5C4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/776-3-0x0000000071191000-0x0000000071193000-memory.dmp
    Filesize

    8KB

    Download
  • memory/776-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/836-12-0x0000000000000000-mapping.dmp
    Download
  • memory/924-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-5-0x000007FEF72E0000-0x000007FEF755A000-memory.dmp
    Filesize

    2.5MB

    Download