Overview

overview

10

Static

static

8

plan-515372324.xlsb

windows7_x64

10

plan-515372324.xlsb

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    29-06-2021 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plan-515372324.xlsb

  • Size

    155KB

  • MD5

    08e52afbefa423fb9f1ea0af88a4880e

  • SHA1

    2d688dfee28f75553bc1d3633f891d2e70e0408b

  • SHA256

    aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd

  • SHA512

    7a5400ec826ecaa0fa6a8beb9022bd9e918f11cf97e57d747477720889f7203af983620e2f7b543fb1ff5cc5a9eff13447d6353506c862dfe2ebd23b7a63dee8

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://khangland.pro/v8gEDeSB/sun.html

xlm40.dropper

https://jaipurbynite.com/stLdQs9R53/sun.htm

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\plan-515372324.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1696
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 ..\palpy1.dll
        2⤵
        • Process spawned unexpected child process
        PID:592
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 ..\palpy2.dll
        2⤵
        • Process spawned unexpected child process
        PID:1284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/592-65-0x0000000074D91000-0x0000000074D93000-memory.dmp

      Filesize

      8KB

      Download

    • memory/592-69-0x0000000000170000-0x0000000000171000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-68-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-63-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1840-59-0x000000002FFD1000-0x000000002FFD4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1840-60-0x0000000070E81000-0x0000000070E83000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1840-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download