Overview

overview

10

Static

static

8

Documents_...89.xls

windows7_x64

10

Documents_...89.xls

windows10_x64

10

Analysis

  • max time kernel
    86s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-05-2021 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents_593342397_2054746689.xls

  • Size

    293KB

  • MD5

    389033e6344dfd187f5e11eb84879faf

  • SHA1

    49e245741d6f4529e729da82573f950e91716e8e

  • SHA256

    28aa0371eff399c03d0ba976b8ecd3eb2c191fccd52775c669e37bdfa5eef0bd

  • SHA512

    ad8bd29be1b13972db777013e4c5c04be9fd3b66c09efd4a285e83bd6936801258604fcdcd28c3678ff7879f9c7056f28e8136bf037573cad168296821c33695

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://atlantisprojects.ca/cheryasd.dll

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 63 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Documents_593342397_2054746689.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\fmfkdnsm.nnd,StartW
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\system32\rundll32.exe
        rundll32 ..\fmfkdnsm.nnd,StartW
        3⤵
        • Loads dropped DLL
        PID:468
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:1712

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\fmfkdnsm.nnd
      MD5

      5f36a28c2dcba68802994d1b4873e41e

      SHA1

      84ce20644fb36b7059d58125da8c900dbf73ba21

      SHA256

      42465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6

      SHA512

      3dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6

      Download Submit
    • \Users\Admin\fmfkdnsm.nnd
      MD5

      5f36a28c2dcba68802994d1b4873e41e

      SHA1

      84ce20644fb36b7059d58125da8c900dbf73ba21

      SHA256

      42465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6

      SHA512

      3dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6

      Download Submit
    • \Users\Admin\fmfkdnsm.nnd
      MD5

      5f36a28c2dcba68802994d1b4873e41e

      SHA1

      84ce20644fb36b7059d58125da8c900dbf73ba21

      SHA256

      42465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6

      SHA512

      3dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6

      Download Submit
    • memory/468-66-0x0000000000000000-mapping.dmp
      Download
    • memory/932-62-0x0000000000000000-mapping.dmp
      Download
    • memory/932-63-0x0000000076281000-0x0000000076283000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-59-0x000000002F9F1000-0x000000002F9F4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2036-60-0x0000000071941000-0x0000000071943000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2036-68-0x00000000062F0000-0x00000000062F1000-memory.dmp
      Filesize

      4KB

      Download