Overview

overview

10

Static

static

recital-12...46.xls

windows7_x64

10

recital-12...46.xls

windows10_x64

10

Resubmissions

29-09-2021 11:34

210929-npjzxsegd8 10

29-09-2021 11:21

210929-nf5j9sehdj 10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    29-09-2021 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    recital-1267320846.xls

  • Size

    244KB

  • MD5

    fa6369788a5f5490d4c506e65b82a166

  • SHA1

    f12d615a708cd6e83c669e3a16c1bebbf2510718

  • SHA256

    3f3f21189390158abe6d01848ce995c762f3b0e908ea27192778effb160a6014

  • SHA512

    a0cf692797d8a9c232de08f15fe251380cdeb54835f5025a5605782d5a55fe4975a0d3fc2174093350b7d533a55ac2bbbea7dbf443a3389abf8c559c1e0f63e9

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://gillcart.com/Cdpmoyhr/key.xml
xlm40.dropper

https://geit.in/MeOlE9Xxd/key.xml
xlm40.dropper

https://mercanets.com/9DPZqAfZdq5z/key.xml

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\recital-1267320846.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1880
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
      2⤵
      • Process spawned unexpected child process
      PID:1300
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
      2⤵
      • Process spawned unexpected child process
      PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/552-60-0x0000000000000000-mapping.dmp
    Download
  • memory/552-64-0x0000000000200000-0x0000000000201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1300-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1300-59-0x0000000075661000-0x0000000075663000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1300-65-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-54-0x000000002F901000-0x000000002F904000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1724-55-0x00000000716A1000-0x00000000716A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1724-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1880-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1880-63-0x0000000000310000-0x0000000000311000-memory.dmp
    Filesize

    4KB

    Download