Overview

overview

10

Static

static

3432.xlsx

windows7_x64

10

3432.xlsx

windows10-2004_x64

10

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

6

Analysis

  • max time kernel
    126s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-07-2022 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decrypted.xlsx

  • Size

    125KB

  • MD5

    32de988dac33588f013a37a83521a265

  • SHA1

    13f646dff9f54c52a535b03bf0a1ba803f9eadf8

  • SHA256

    54e48efba5879846c7fece3d715d474532dc23fbe321b7d72d1c473c04a4fee8

  • SHA512

    c9a718b9560336359fb483952d55c04ad583b257761994228e811912de7d1fa499c51794ed532a501004975545444204c4137800d04441a3843d8b5c8b7066fa

Score
10/10
googlephishing

Malware Config

Signatures

  • Detected google phishing page
    phishinggoogle
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/v3/signin/identifier?dsh=S688239817%3A1657636609502463&continue=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&followup=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AX3vH3-Wt9gj0yZ-mLdPJPxnQqX3YllZ3by2OORk7h25Srd8nt8d8NaBDk0Ms5e0BVVLVUxcxCEwlw
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    e4bf91bddcb594ce03b19a0766b7e082

    SHA1

    883aa813de71f04406b7fdf24ad0ee3b76585745

    SHA256

    2fa63b331a7664f45a8cffd1b8aa8cfd1b66cfdea8a59f17806b52159ff678d9

    SHA512

    6a0d03940be8be33df3520703d2509e0f1dcaee8e4548c9a00e1b88c1fc8e448ec1825f610214e43566b5b54620bfab5a6749cd0f24ee5c1002352537a435bbf

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_D286E324D13B58F35DA77B01A840D7C0
    Filesize

    472B

    MD5

    b4447af54ff22e7bf5dc6db8992b8eb4

    SHA1

    81688ab45d876c3aa458b5167f9da115c1ac4614

    SHA256

    034c27e0d12b889b7a4578424eac67a0a390af43ae453d2e89586a344892cd48

    SHA512

    07e3f89e46e0b287b4dae5dd27e0cab5fae7eabbcbb1113f0670512298e7dca01b7044062ed380ad7e9e30f1c03212da852433e75e532330ba6b785d1239b119

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
    Filesize

    724B

    MD5

    5a11c6099b9e5808dfb08c5c9570c92f

    SHA1

    e5dc219641146d1839557973f348037fa589fd18

    SHA256

    91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

    SHA512

    c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    068cb6625ee7a563f1c0511275cb0625

    SHA1

    528e2d8d97021998a6d234675968974c5def4cd7

    SHA256

    c546877ee1f4ce7f5534fefd8c46052b679120e478cd557f4b36b3c563eb031a

    SHA512

    a25994d820592e8798dd09c682e3c47012686f49e1994fa18e1af7d6c35b61282eb54160fbc9e1739f345ef46f8fc435839612bfbe4132d5fe3d0ab8121a354a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_D286E324D13B58F35DA77B01A840D7C0
    Filesize

    406B

    MD5

    d6ae6a97cb9e547ccf0a877ea1b83af3

    SHA1

    ea2848f98196323a0344896d831a24bd5a8ea012

    SHA256

    2816c5afbd3b2d8eff9701a8df7d3f88de050b1c463f305f7e42230edf6da362

    SHA512

    a1ab2fee2a9d98293a1c56a3554f3dab29f3c855a789bff45cc5c5cceacfbef574418fbdf9c57f338eabedbf78a9cb0fcd862aa64727fd0cfbd9b7c955dcda5e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    266f9081feda7ebb42a3a9d08ac6157f

    SHA1

    1054ee87cd7c059892cfe28e0c9eb00a26aea11c

    SHA256

    7a89097eba8083cc73a69e3588224ae3a1b88adc5a4696916d526d3fd5876bc4

    SHA512

    afdba0b10dd7b4d40f1984be0039d655bdbe7763c0f3fec41dd6182545bdedc7e87bff92b03b556191f94b9e05a5ea1741acf484eb6dadb8bea5350866f34edd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
    Filesize

    392B

    MD5

    36bdba841cff4c3d74653543ab464d4d

    SHA1

    47776367294c203c3d53b5e96ab171b54a167efa

    SHA256

    dee65d4d298b98fd0a5afb49833e04b93e21fcda098c020eb9f7de6a49a5ae13

    SHA512

    b7ecc75ab565278872295e7b9c531ac94931df828ada8f31aeded03b6f3f6a8c41ae55674be00cbdfa9be5a85d1fa666fcd8167b06d82155ee1c5d7990f8f615

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
    Filesize

    9KB

    MD5

    2fd5c7466cb00d966b9f0f6a0c5520de

    SHA1

    86db334ab1ab776a7c4f6e794ee0048461181661

    SHA256

    c6fcaccb79b241e40022cf1fa37d1a4214a7c878f908596a74b0bbfba34a6c15

    SHA512

    301df6b012563896f89c18cee1eddd8c79a43cd3744b7d322372e7586a1cccaac9c7062387ca821eb314c038cb2e3df2dc2dc75cd143a9429ab33763cb904734

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1W9IN499.txt
    Filesize

    605B

    MD5

    d752e2269e55cd89d762b400d7082cfd

    SHA1

    a1d7aea6f1a69b742251e28f47e26ad3702de39f

    SHA256

    c409e66125a87269e939ce298306cbc2df78c1dcfb2c1537855ff82368045dbc

    SHA512

    74af2cf03cb2af610f4db56bcc224634e45e2661cf46575a909d36eca31b00d030bd0a0056534d1a426be79e7513358f3fb55b3cab1cf45a66eabfc7441f69f2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JDX19RF0.txt
    Filesize

    238B

    MD5

    a38e28a75a88e2492cd45dd4572b949b

    SHA1

    5667bf237ad04cffd1e86f4e523f7a47174ebb06

    SHA256

    e0c6f7ac1384d982fbe85f068afc6c4b20afb81d416d6687b41dbbde213404b2

    SHA512

    0b282b04ce936d7e264d9362f85558208c541c9c36cc1bf62069710c581ee52b787170dcf1ec43e21fe6c3f941c2e31e7249cb547d21eb4382978e00c1b6d59e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JY0HGVU6.txt
    Filesize

    130B

    MD5

    4a5455c404c9627fbb1a4f052acace8c

    SHA1

    f46978454e9764da9289cf84e6614ab2762de2a3

    SHA256

    d157a61808fa4bc7049c211fd23ab577c8418a64d864847226614fe20745e5d2

    SHA512

    e552afa762451707d6570c54730ef84e61ca52cece8d5deb42dd229546f33f026a78894db76a58a49b8c33cc189774f5855b4f577a025e7c515e82ee9d47621e

    Download Submit
  • memory/1640-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1640-59-0x00000000728ED000-0x00000000728F8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1640-55-0x0000000071901000-0x0000000071903000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1640-54-0x000000002FEC1000-0x000000002FEC4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1640-58-0x00000000762C1000-0x00000000762C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1640-57-0x00000000728ED000-0x00000000728F8000-memory.dmp
    Filesize

    44KB

    Download