Overview

overview

10

Static

static

8

df2070a83a...06.xls

windows7_x64

10

df2070a83a...06.xls

windows10-2004_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df2070a83a8dc588d12e09c9c18e41a7464584dcf13dcb23de4c2b49bc29b206.xls

  • Size

    940KB

  • MD5

    bd4d3897b916b08db608453fbd976f35

  • SHA1

    396bbf122e3ea69e886c1dcb39fbb1cfe028f78c

  • SHA256

    df2070a83a8dc588d12e09c9c18e41a7464584dcf13dcb23de4c2b49bc29b206

  • SHA512

    7cab748e296f440ce762e099a92c8bcd2e57dee177cd3cf1f9e476983739b6a9a0d8931aa072aa6fe2054ea4052c5d20092f1f5112a3f1503c980d7eb1856e90

Score
10/10
ta505upx

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • TA505

    Cybercrime group active since 2015, responsible for families like Dridex and Locky.

    ta505
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\df2070a83a8dc588d12e09c9c18e41a7464584dcf13dcb23de4c2b49bc29b206.xls
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\contract_.dll
    Filesize

    328KB

    MD5

    2b111f00ad27acb2e312c693e9901f54

    SHA1

    3af7391cb25b2ebcab1c5b014a61af7d4b718f1a

    SHA256

    90517af7a1a1a468bea6ea125f2f32ba021bfaa9593fda800067e1a47bc2228a

    SHA512

    73a022859d1874e57e51ed7780a656f3ee66cb9ddd14749adbe31f2e45c06af99b33ac465dfdb8ff32588d8f159e81682fb08721480a3b4e927d186c1e05cf78

    Download Submit

  • memory/1564-57-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1564-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1564-54-0x000000002FB61000-0x000000002FB64000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1564-58-0x000000007263D000-0x0000000072648000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1564-60-0x00000000005A2000-0x00000000005A6000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1564-59-0x00000000005A2000-0x00000000005A6000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1564-62-0x00000000005A2000-0x00000000005A6000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1564-61-0x00000000005A2000-0x00000000005A6000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1564-55-0x0000000071651000-0x0000000071653000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1564-64-0x0000000010000000-0x0000000010053000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1564-65-0x000000007263D000-0x0000000072648000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1564-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1564-67-0x000000007263D000-0x0000000072648000-memory.dmp

    Filesize

    44KB

    Download