Overview

overview

10

Static

static

Applicatio...3.xlsb

windows7_x64

10

Applicatio...3.xlsb

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ApplicationReject-887252173.xlsb

  • Size

    1.1MB

  • MD5

    b112fd7df986e3d613d78e630d3344e9

  • SHA1

    fba85b4bd2447de4a9b1a36fced6aaafd40bcfa5

  • SHA256

    66cd7db8994d7413e27ea4f3b1730e6e35e5deb0f2e2adebef9ae996edc61d20

  • SHA512

    1d6ab3e12c42c5948091be2ca79410228b88c377b05a4144acde44e7b15bf15a4a8aa6e7dc6e66cf58096f92bc56c2f690c7fed8b9f9bc809f62e309add7e7c9

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://103.155.93.53/975035438.dat
xlm40.dropper

http://87.236.146.69/975035438.dat
xlm40.dropper

http://94.140.114.172/975035438.dat

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ApplicationReject-887252173.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32 /s calc
      2⤵
      • Process spawned unexpected child process
      PID:1620
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32 C:\Rujiky\Ubada\Vertu.ooccxx
      2⤵
      • Process spawned unexpected child process
      PID:1644
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32 C:\Rujiky\Ubada\Vertua.ooccxx
      2⤵
      • Process spawned unexpected child process
      PID:556
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32 C:\Rujiky\Ubada\Vertub.ooccxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Rujiky\Ubada\Vertub.ooccxx
    Filesize

    962KB

    MD5

    b5de1af72fcdf348d2ef43e01ce3eaec

    SHA1

    d61a2809574fc84e953e04b320417eb88c4c87d0

    SHA256

    53ca9767b35e0f3a1a77623f8368a5ecee9aa4b1f9c295ae5416fa5cbd923190

    SHA512

    4b1cd98e82e6c66ad84cd6e595522d0a7420f837da5bcad3feaed10e4febcb4e48d8873277f8dd25e6772cea1a83ddf59b333de21a814ffc0f2751fa9b26362c

    Download Submit
  • \Rujiky\Ubada\Vertub.ooccxx
    Filesize

    962KB

    MD5

    b5de1af72fcdf348d2ef43e01ce3eaec

    SHA1

    d61a2809574fc84e953e04b320417eb88c4c87d0

    SHA256

    53ca9767b35e0f3a1a77623f8368a5ecee9aa4b1f9c295ae5416fa5cbd923190

    SHA512

    4b1cd98e82e6c66ad84cd6e595522d0a7420f837da5bcad3feaed10e4febcb4e48d8873277f8dd25e6772cea1a83ddf59b333de21a814ffc0f2751fa9b26362c

    Download Submit
  • memory/556-63-0x0000000000000000-mapping.dmp
    Download
  • memory/872-54-0x000000002F761000-0x000000002F764000-memory.dmp
    Filesize

    12KB

    Download
  • memory/872-55-0x0000000071391000-0x0000000071393000-memory.dmp
    Filesize

    8KB

    Download
  • memory/872-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/872-57-0x00000000764C1000-0x00000000764C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/872-58-0x000000007237D000-0x0000000072388000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1568-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1620-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-61-0x0000000000000000-mapping.dmp
    Download