Overview

overview

10

Static

static

8

Compensati...38.xls

windows7_x64

10

Compensati...38.xls

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    30-09-2021 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Compensation-1093400938.xls

  • Size

    233KB

  • MD5

    9952a72e006111e4a9613c5bdbd7982f

  • SHA1

    a642c5d809d3b2cad15f1ca0fb56a8bce54ca086

  • SHA256

    62d8610935ea360961511fa6361d82248dfdaae459bb6fab4bbc2f924627172c

  • SHA512

    febd4bc0154ad140e9dcb9f5ba0464b9253b5e9df8a2c652252dba63f226d09c68f4b19d587476805591c1cb7f7041dc56d78908e03154a81ec2039b8016d6c2

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://safalerp.com/J1wlINw7HtJ/siera.xml
xlm40.dropper

https://godschildrenaf.org/qxwbRMzrqoWK/siera.xml
xlm40.dropper

https://callgirlsandescortkenya.site/hllzvTuU/siera.xml

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Compensation-1093400938.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
      2⤵
      • Process spawned unexpected child process
      PID:756
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
      2⤵
      • Process spawned unexpected child process
      PID:1228
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
      2⤵
      • Process spawned unexpected child process
      PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/756-56-0x0000000000000000-mapping.dmp
    Download
  • memory/756-64-0x00000000001A0000-0x00000000001A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/920-58-0x0000000000000000-mapping.dmp
    Download
  • memory/920-59-0x0000000076201000-0x0000000076203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/920-62-0x0000000000130000-0x0000000000131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1124-53-0x000000002FAD1000-0x000000002FAD4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1124-54-0x0000000071251000-0x0000000071253000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1124-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1228-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1228-63-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download