Overview

overview

10

Static

static

URLScan

urlscan

1

https://mainpagedir....

windows7_x64

10

https://mainpagedir....

windows10-2004_x64

8

Analysis

  • max time kernel
    135s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    02-02-2022 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://mainpagedir.xyz/invoice.xll

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://mainpagedir.xyz/invoice.xll
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4032
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 49bd8ead47b544cbf9c44a3618cbf6bb qR3WV0VRTkOYWAWJaXJdow.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1180
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:944
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/944-145-0x000001BDF7850000-0x000001BDF7854000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3456-146-0x00007FFBF1030000-0x00007FFBF1040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3456-147-0x00007FFBF1030000-0x00007FFBF1040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3456-148-0x00007FFBF1030000-0x00007FFBF1040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3456-149-0x00007FFBF1030000-0x00007FFBF1040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3456-150-0x00007FFBF1030000-0x00007FFBF1040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3456-151-0x00007FFBEEC90000-0x00007FFBEECA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3456-152-0x00007FFBEEC90000-0x00007FFBEECA0000-memory.dmp
    Filesize

    64KB

    Download