ta505 | db92aa79b35ef1aeceb4982d900ffbc1ee756b5e403095e0f7b9cba93f258391

Analysis

max time kernel
152s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db92aa79b35ef1aeceb4982d900ffbc1ee756b5e403095e0f7b9cba93f258391.xls
Size

282KB
MD5

21f24bec513e1787ddfc009cc1a05bd6
SHA1

780a483194d2224130e9a5f4c132c4443e2b32d5
SHA256

db92aa79b35ef1aeceb4982d900ffbc1ee756b5e403095e0f7b9cba93f258391
SHA512

23ab58256954c8a36f17e65d0b6703c82406e597b0dc5ddbd0080300efa86ba651af5279cc90aaeebce44c3378d237a705e70979add82d7a65505732fe5dbb32

Score

10^/10

ta505

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

Loads dropped DLL 1 IoCs

pid	Process
3784	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{D730EC2B-235F-49C5-A0B8-C43A861365F9}\E12BD00A.png:Zone.Identifier	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3784	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3784	EXCEL.EXE
3784	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3784	EXCEL.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 5024	3784	EXCEL.EXE	87
PID 3784 wrote to memory of 5024	3784	EXCEL.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\db92aa79b35ef1aeceb4982d900ffbc1ee756b5e403095e0f7b9cba93f258391.xls"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\masterbox2.dll

Filesize
64KB

MD5
5467e81b6c5417af0dcc566605b13481

SHA1
eeecc25656f290630dcfe30218cdb69bb0f316aa

SHA256
257bee57c5cac49ce0b5f9b160a3aaafde703ecc036cf4cf32975fc08c7f445e

SHA512
baf888cd4fcd929b973fedbb791d5e1e320fd4fff0aa15372fa94a0d898e9942ac80bf8965caa5dc8565077ee9928aa6fa3997d7ab114914a08bd863a8789c48

Download Submit
memory/3784-133-0x00007FF869390000-0x00007FF8693A0000-memory.dmp

Filesize
64KB

Download
memory/3784-132-0x00007FF869390000-0x00007FF8693A0000-memory.dmp

Filesize
64KB

Download
memory/3784-130-0x00007FF869390000-0x00007FF8693A0000-memory.dmp

Filesize
64KB

Download
memory/3784-134-0x00007FF869390000-0x00007FF8693A0000-memory.dmp

Filesize
64KB

Download
memory/3784-135-0x00007FF866A80000-0x00007FF866A90000-memory.dmp

Filesize
64KB

Download
memory/3784-136-0x00007FF866A80000-0x00007FF866A90000-memory.dmp

Filesize
64KB

Download
memory/3784-137-0x00000198E3280000-0x00000198E3284000-memory.dmp

Filesize
16KB

Download
memory/3784-131-0x00007FF869390000-0x00007FF8693A0000-memory.dmp

Filesize
64KB

Download
memory/3784-140-0x0000000070E20000-0x0000000070E3E000-memory.dmp

Filesize
120KB

Download
memory/3784-141-0x00000198E5230000-0x00000198E5233000-memory.dmp

Filesize
12KB

Download
memory/3784-142-0x0000000070E20000-0x0000000070E3E000-memory.dmp

Filesize
120KB

Download