Overview

overview

10

Static

static

8

catalog-10...1.xlsm

windows7_x64

10

catalog-10...1.xlsm

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-04-2021 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    catalog-1005288061.xlsm

  • Size

    109KB

  • MD5

    fc37bfa1cfb3ba7096846d98b91d6b75

  • SHA1

    714d99891d3f570eed053ae8aee0c215e470da94

  • SHA256

    4aa1b8d61bdb6cf73b3986bec76d81dd03573b694b58372144dc85972dc9387f

  • SHA512

    d97dc445f8c52b3c6059cd2bb643d5f5bb89a4371e5eddbf5031086d23053878339987a75121e376991838fea1d2ad451d687d45849269c4398ed8b32349565b

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://immobiliareneri.casa/drms/ind.html
xlm40.dropper

https://gidbasket.com/drms/ind.html

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\catalog-1005288061.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\duron.bnm1,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:620
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\duron.bnm2,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/620-62-0x0000000000000000-mapping.dmp
    Download
  • memory/620-63-0x0000000075551000-0x0000000075553000-memory.dmp
    Filesize

    8KB

    Download
  • memory/732-64-0x0000000000000000-mapping.dmp
    Download
  • memory/788-59-0x000000002FB81000-0x000000002FB84000-memory.dmp
    Filesize

    12KB

    Download
  • memory/788-60-0x0000000071391000-0x0000000071393000-memory.dmp
    Filesize

    8KB

    Download
  • memory/788-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download