Overview

overview

10

Static

static

8

audit-1290630629.xlsb

windows7_x64

10

audit-1290630629.xlsb

windows10_x64

10

Resubmissions

14-06-2021 18:45

210614-yr76sav7we 10

11-06-2021 09:53

210611-mdzv8f2mls 10

Analysis

  • max time kernel
    120s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-06-2021 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    audit-1290630629.xlsb

  • Size

    155KB

  • MD5

    4ba1fbc31761dc93b3957d77e6d87bb6

  • SHA1

    65843c8d1e72ef009e88093d7cbe74b22af217e6

  • SHA256

    b3adb44ad0055c7118d70dc49b3ff4ed51208f740e9dbc3f5041e7f5baa2589c

  • SHA512

    785c34e09dbd9a629c5e56ee7da4a9032945ccf095fe60c5e45d8436b426909301a6d7a8414f89b5f7406ddafd8fce1a0ea48d743de0b45608ad8c229c4b4437

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://shadiinfo.com/2DP6mQeg/pt.html
xlm40.dropper

https://treasurechestcaribbean.com/pZ2Z61bqa/pt.html

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\audit-1290630629.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1428
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 -s ..\covi1.dll
        2⤵
        • Process spawned unexpected child process
        PID:760
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 -s ..\covi2.dll
        2⤵
        • Process spawned unexpected child process
        PID:1140

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-65-0x0000000000000000-mapping.dmp
      Download
    • memory/760-66-0x0000000075591000-0x0000000075593000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1032-60-0x000000002FFB1000-0x000000002FFB4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1032-61-0x0000000071191000-0x0000000071193000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1032-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1140-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1428-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1428-64-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
      Filesize

      8KB

      Download