Overview

overview

10

Static

static

Pending Pa...ce.xll

windows7_x64

10

Pending Pa...ce.xll

windows10-2004_x64

8

Analysis

  • max time kernel
    118s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-01-2022 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pending Payment Notice.xll

  • Size

    638KB

  • MD5

    d86d39b83dd3306e7296a0d0dcb80cc1

  • SHA1

    f5b791a3557d78cace3eec6ae18abde85ecb0ce5

  • SHA256

    9c862fc58921af61605e29d2bc0c639af68492669a4928e5334cc48bda6b79af

  • SHA512

    faa6c7caaa916342fd7e05cb45f1e3102630fde7d85526d2871d9eff2f930c8e301e562f9bec1c95c08bd614bd81920fdddb0483bcd92ca14f45c4e5d3ee3d5f

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
    persistence
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pending Payment Notice.xll"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3780
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3156
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 63a78bae41297c0e49c0c3ebe1c1783a siIubRRiTk+y8IxrmhWjIw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1588
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wusvcs -p
      1⤵
        PID:3264

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3780-130-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-131-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-132-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-133-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-134-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-137-0x00007FFC593D0000-0x00007FFC593E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-138-0x00007FFC593D0000-0x00007FFC593E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-167-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-168-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-169-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3780-170-0x00007FFC5B430000-0x00007FFC5B440000-memory.dmp
        Filesize

        64KB

        Download