Overview

overview

10

Static

static

2180.xlsx

windows7_x64

2180.xlsx

windows10_x64

1

Analysis

  • max time kernel
    102s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-03-2021 15:59

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    2180.xlsx

  • Size

    38KB

  • MD5

    28d75c5b8fd1d80712f3b390ce304843

  • SHA1

    1dcc3d0c446cd7abbac118af64b49e5cb1cb97f0

  • SHA256

    a77a62810bde7745f7c7eb1311159c5291dcd06c70db3c8fe5d58aa989725192

  • SHA512

    a2e38b16e060b0e58452642804af6bc38cfccc9ac80506301b07a2199f593dd31d2a82e9c1851546c383d826a07a2a48328e82fb763634652c2631ccd4774aba

Score
10/10
macroxlm

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Suspicious Office macro 2 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 50 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2180.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.zoho.com/downloaddocument.do?docId=ib6t2197ba609615e4f72a497037ef60d925a
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1964
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\71335.doc"
        3⤵
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:608
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /vu "C:\Users\Admin\Downloads\71335.doc"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:600
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1596
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:848
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5a0
      1⤵
        PID:1832
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1344

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9915FBCE5ECE56452A09FB65EDE2FAD2_8D1CA85B209F2F6A5A72F299949DF354
          MD5

          70d251f82ae25df5a0cabab075f19d97

          SHA1

          12918f71a7a2a1fb7df0903f71a71f6b9b1c0f83

          SHA256

          d1da5a5aae1ebc9617064e66fdddbd3ca46b7439b73386e130c6a9da44c82ce4

          SHA512

          3d009965285f30fae3da9380fa1142cc9ea933bd111ce6310d4cabc4d210c2d1269cb40d7db06f93e08314ef58606750ed49c72387fd14c710ae6fb0fd8be44a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D93C575AD9E9AF9B95268A3CB953B5A1
          MD5

          0c34c7cf45afe00252fa2b6f1326ec26

          SHA1

          5a05e800712bfd57981f7f9577e97fc9b42653ee

          SHA256

          7befeb48e039ccba22f089871840b49b9bb383be4127ea1fcc454b5560e7b50b

          SHA512

          136ae2cdaf74346a14ac239ba23cc53fe9393329c2e56dd029f65a8a78e457b4e866a2b6562b807244af21042b03029ed2c70ee1668a8d62ebe7330ac4556892

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          f7b19e97a7a3eb7710bc54578fe3fffb

          SHA1

          1fe975744ac1252bc489c9b55e8fac7074aa86f4

          SHA256

          e0b3e0290ec5aacedd352a95f230091c7aa9abd642b362616d78463083efd6b9

          SHA512

          892d5383151bce299af2fb5b058bf824f7d6a21ec45d22a78758c093a024c6e1132c8e77de06598e0ed1fe1bee4bbfce237b8b761fc0dcbfcc9de378d630d354

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9915FBCE5ECE56452A09FB65EDE2FAD2_8D1CA85B209F2F6A5A72F299949DF354
          MD5

          2dc32939982ba38452f37eab16e3c0c6

          SHA1

          b143d360b6f6295f96b1dac37af19200ddf7613c

          SHA256

          6954f0b3abb734f1b207acdf89e06f60e3e54e0dd35cf589cf73f90f1ea8c2c5

          SHA512

          d694f1aa50995b51680e190408e5c47b0416343b69f8e5bb7ea2094c9a4eefd2fc7e8428c85853416234184adbc6f12ca74643bf61c7396b69229bc2113a16e5

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D93C575AD9E9AF9B95268A3CB953B5A1
          MD5

          12e4542bb8d59a8eea1400feefdfb8c0

          SHA1

          274ad2737e3e545e3655d9c27153816ffd1c7ff3

          SHA256

          c046d131e058c95f3abeb6813193d2b871600c3467930b4a7e55ea098f22e4ac

          SHA512

          233f3feeff82b879f1716b6ad4edb27076d77c389c118d226335e937f01fc7cf04d41d778b23aae6be757e1215033c5467fd3955cffd541f73c2d41633bd35ff

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\71335[1].xlsm
          MD5

          769b921e19de86a5c4e9f34b081ab0f9

          SHA1

          1fe3fc7318b99c947c3dd7093ad477be14ccf39a

          SHA256

          a2160fbbb43389a925f1ac3bb59f5dd994f469cbb40ebe9996228be7f89978a0

          SHA512

          1622834c25e0909074662a63372bb9d42472de47fe16d466fdf81cd36ec3b9ab96f163f1401cdf544b37cc428a98b1102982cc80729e781e95d205a5a86bfae5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          MD5

          0b7ec7262e810831b8dd78dcaa472090

          SHA1

          b739038769542f4c1f74395dd27988fd3e8c22f3

          SHA256

          c120c962a6f030d8d021dca22472ee1c1854f878b3b0d2850208f4639fdcf1e4

          SHA512

          5846556071e0b03c430b2550836785fcb1fcdd0f3a8cd9a0ff5fb526e15f5a1697403701aa5fcfb7357b279fa159f0aabe9a17eaba898201a75640a106d9d0a3

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
          MD5

          dc5d0a4795fb7555e5f5b76419ce4745

          SHA1

          b37ef47e996d4155a854c4d64710da0a45a36b70

          SHA256

          bac8c338bd71e133a4824b57b18d2b2ac7a699e38451bda0cf15dac03bdd1188

          SHA512

          093c4172ad2f746599293ab9946ca6b25ebade6d5cb712620217d941fcea4aee10d0849c00a4ae40e132187432707e2691a99adc9d3a13150bb98f2adbff2d20

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IH0Z4K5A.txt
          MD5

          a558667a187f3193d546ac165b407fef

          SHA1

          35d3c9576f5ef5b74105b230ac9cb51f8ce52959

          SHA256

          f16dc5daa0dcca3c00eafa77ac312305a7e001b43a46d6836b316d27212c4aef

          SHA512

          66d546009d73641e49be2a9026a4aab21d6d29a58a12d2181223f2e9bd7a3dd077f8d626d11fb49e6c2e09c5dde3d2d817ba684aac1b523b31ffe7c02ee0b355

          Download Submit
        • C:\Users\Admin\Downloads\71335.doc.npu4nkh.partial
          MD5

          769b921e19de86a5c4e9f34b081ab0f9

          SHA1

          1fe3fc7318b99c947c3dd7093ad477be14ccf39a

          SHA256

          a2160fbbb43389a925f1ac3bb59f5dd994f469cbb40ebe9996228be7f89978a0

          SHA512

          1622834c25e0909074662a63372bb9d42472de47fe16d466fdf81cd36ec3b9ab96f163f1401cdf544b37cc428a98b1102982cc80729e781e95d205a5a86bfae5

          Download Submit
        • memory/528-6-0x0000000002060000-0x0000000002061000-memory.dmp
          Filesize

          4KB

          Download
        • memory/528-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/528-2-0x000000002F371000-0x000000002F374000-memory.dmp
          Filesize

          12KB

          Download
        • memory/528-3-0x0000000071C01000-0x0000000071C03000-memory.dmp
          Filesize

          8KB

          Download
        • memory/600-23-0x00000000694A1000-0x00000000694A4000-memory.dmp
          Filesize

          12KB

          Download
        • memory/608-18-0x0000000000000000-mapping.dmp
          Download
        • memory/608-19-0x00000000694C1000-0x00000000694C4000-memory.dmp
          Filesize

          12KB

          Download
        • memory/608-22-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/848-36-0x00000000027B0000-0x00000000027B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1120-5-0x000007FEF7D40000-0x000007FEF7FBA000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/1152-16-0x0000000004590000-0x0000000004591000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1152-8-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1152-7-0x0000000000000000-mapping.dmp
          Download
        • memory/1344-38-0x0000000002760000-0x0000000002761000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-30-0x000000002FB31000-0x000000002FB34000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1596-31-0x0000000072FA1000-0x0000000072FA3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1596-32-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1964-9-0x0000000000000000-mapping.dmp
          Download