Overview

overview

10

Static

static

8

Documents_...46.xls

windows7_x64

10

Documents_...46.xls

windows10_x64

10

Resubmissions

12-03-2021 15:02

210312-dhkaaa3tl2 10

12-03-2021 14:44

210312-hztk9z9xv6 10

Analysis

  • max time kernel
    140s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-03-2021 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents_2107120546.xls

  • Size

    273KB

  • MD5

    ab63a0153a6fe4e139ad83a6ffbab090

  • SHA1

    1995e0863944a36b315a04b3ad7d073d50e16d05

  • SHA256

    3e43ec6538c8a8e0e3eee05ddfe1f304e9d42c9647c7df186c61c5e2d3c6218d

  • SHA512

    b2bd1ed261d87760265f82304f6feb4981d994217350325bb3e8715355f8acdeb782936861b18513544f8873ee344699670415d3e74798fa18ac256dad200a78

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents_2107120546.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\sfdgsd.dss,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 ..\sfdgsd.dss,DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of AdjustPrivilegeToken
          PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\sfdgsd.dss
    MD5

    c6b02277b3dd7e0fd1133cf9290cdef6

    SHA1

    754cc1546ceafe9f62db188e214d5696aed609d5

    SHA256

    d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c

    SHA512

    e5702c48ce1dcdde8c059502f4c316ec31dd02ff0995ce33ebadbca913d31d0e213089c162e8cdbe356f7ca806e00ffe5f00f4ccc7ed97b6a09966fad392a701

    Download Submit
  • \Users\Admin\sfdgsd.dss
    MD5

    c6b02277b3dd7e0fd1133cf9290cdef6

    SHA1

    754cc1546ceafe9f62db188e214d5696aed609d5

    SHA256

    d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c

    SHA512

    e5702c48ce1dcdde8c059502f4c316ec31dd02ff0995ce33ebadbca913d31d0e213089c162e8cdbe356f7ca806e00ffe5f00f4ccc7ed97b6a09966fad392a701

    Download Submit
  • memory/296-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1048-5-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1048-6-0x00007FFA6A5A0000-0x00007FFA6ABD7000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1048-2-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1048-4-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1048-3-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3028-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3028-11-0x0000000073DF0000-0x0000000073E19000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3028-12-0x0000000000C10000-0x0000000000C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3868-13-0x0000000000000000-mapping.dmp
    Download
  • memory/3868-14-0x0000000003210000-0x0000000003239000-memory.dmp
    Filesize

    164KB

    Download