Resubmissions

03-06-2021 10:37

210603-tks7epc9ka 10

01-06-2021 16:54

210601-fpxsgwd8p2 10

Analysis

  • max time kernel
    72s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    01-06-2021 16:54

General

  • Target

    document-37-1849.xls

  • Size

    187KB

  • MD5

    c41a21a821bcdea1d3ab26ebef055eed

  • SHA1

    912c8c1792dd33bac263df4b71242078d74741e9

  • SHA256

    d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8

  • SHA512

    ed665e9a7d3e950318628ad4ea112da063e4f156ea7d2d58fbeaa31cc2486c7d2debb779da72723d8f55bdec6b9a4b87f9d148c50b0a368c4bc5b59ac646a42a

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel

Signatures

  • DoubleBack

    DoubleBack is a modular backdoor first seen in December 2020.

  • DoubleBack x64 Payload 2 IoCs
  • DoubleBack x86 Payload 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-37-1849.xls
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe
      2⤵
      • Process spawned unexpected child process
      PID:1060
    • C:\ycjqFXSM\kO2NIybn\pDImcT.exe
      "C:\ycjqFXSM\kO2NIybn\pDImcT.exe" C:\ycjqFXSM\kO2NIybn ALHJ zqtRI
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll

    MD5

    9171c8fc7d3b2aeb3763d477d5718b1d

    SHA1

    8a6363175e7d7d4726865334e3652dd0fc9de35c

    SHA256

    83e0d55b4cd73be3bf89729408e8f62b1533becf3478ce5666317c3f4561ca0d

    SHA512

    cabce59102c66e1e123ba84417dba93c7b993b69daf981d52b6a976e12a7dc802f770fb6ba1de4a3667a49b938463891d40d632b0d55d602dee3716a46a5a8d9

  • C:\ycjqFXSM\kO2NIybn\pDImcT.exe

    MD5

    7f7f391491c315a4a72efcac0d34fa93

    SHA1

    20a18c7ea14f4e1d3044091b46d6e862b6f38708

    SHA256

    022577f47fb074b7d942c8f01daac778b110a373de03b3b5043e887995b09d52

    SHA512

    78d39d7fd02d4f6ca0e13d0eacadc842d5a104c31342202875f84a69c310ecf6d4dcc8f00e95b09de936922be0312cf956c5e955254a99113efb3f51e26c082e

  • C:\ycjqFXSM\kO2NIybn\pDImcT.exe

    MD5

    7f7f391491c315a4a72efcac0d34fa93

    SHA1

    20a18c7ea14f4e1d3044091b46d6e862b6f38708

    SHA256

    022577f47fb074b7d942c8f01daac778b110a373de03b3b5043e887995b09d52

    SHA512

    78d39d7fd02d4f6ca0e13d0eacadc842d5a104c31342202875f84a69c310ecf6d4dcc8f00e95b09de936922be0312cf956c5e955254a99113efb3f51e26c082e

  • \ycjqFXSM\kO2NIybn\mozsqlite3.dll

    MD5

    9171c8fc7d3b2aeb3763d477d5718b1d

    SHA1

    8a6363175e7d7d4726865334e3652dd0fc9de35c

    SHA256

    83e0d55b4cd73be3bf89729408e8f62b1533becf3478ce5666317c3f4561ca0d

    SHA512

    cabce59102c66e1e123ba84417dba93c7b993b69daf981d52b6a976e12a7dc802f770fb6ba1de4a3667a49b938463891d40d632b0d55d602dee3716a46a5a8d9

  • \ycjqFXSM\kO2NIybn\pDImcT.exe

    MD5

    7f7f391491c315a4a72efcac0d34fa93

    SHA1

    20a18c7ea14f4e1d3044091b46d6e862b6f38708

    SHA256

    022577f47fb074b7d942c8f01daac778b110a373de03b3b5043e887995b09d52

    SHA512

    78d39d7fd02d4f6ca0e13d0eacadc842d5a104c31342202875f84a69c310ecf6d4dcc8f00e95b09de936922be0312cf956c5e955254a99113efb3f51e26c082e

  • memory/948-66-0x0000000000000000-mapping.dmp

  • memory/948-68-0x0000000075801000-0x0000000075803000-memory.dmp

    Filesize

    8KB

  • memory/1060-63-0x0000000000000000-mapping.dmp

  • memory/1832-60-0x000000002F7F1000-0x000000002F7F4000-memory.dmp

    Filesize

    12KB

  • memory/1832-61-0x00000000713C1000-0x00000000713C3000-memory.dmp

    Filesize

    8KB

  • memory/1832-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB