Overview

overview

10

Static

static

8

a.xlsb

windows7_x64

10

a.xlsb

windows10_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-06-2021 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.xlsb

  • Size

    155KB

  • MD5

    79d94d53703ee58ab2aac1782cbd6939

  • SHA1

    16a918e278d56ed854a3314d2a4ea907001195fc

  • SHA256

    80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82

  • SHA512

    912a3ea6a5f75b35376ac34b03605ffd660376ad2f201648a0b73b79159c35f051842ba0585ad075bdd2424940dc671082f2cdf178e53c4c6cfdd072c3a7dcd9

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://shadiinfo.com/2DP6mQeg/pt.html
xlm40.dropper

https://treasurechestcaribbean.com/pZ2Z61bqa/pt.html

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1740
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 -s ..\covi1.dll
        2⤵
        • Process spawned unexpected child process
        PID:1684
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 -s ..\covi2.dll
        2⤵
        • Process spawned unexpected child process
        PID:548

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/548-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1684-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1684-66-0x00000000765F1000-0x00000000765F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1740-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1740-64-0x000007FEFC411000-0x000007FEFC413000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2004-60-0x000000002FF01000-0x000000002FF04000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2004-61-0x0000000071CC1000-0x0000000071CC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2004-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download