Overview

overview

10

Static

static

8

7af28b6af5...f3.xls

windows7-x64

10

7af28b6af5...f3.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7af28b6af51c21236e8dae283be35d078a9b412b918a5595bfaa4722231e1af3.xls

  • Size

    287KB

  • MD5

    3f80214290751d891dddf50abe200ad8

  • SHA1

    0de99d5d3bce055876174ba6fac4df24f1320375

  • SHA256

    7af28b6af51c21236e8dae283be35d078a9b412b918a5595bfaa4722231e1af3

  • SHA512

    81dae2eb33499d1360226e657c421745f7ed92ce99a16bcf9cd6fcd57389464429e4eaacc70132f09ed30ed3dc586cc903cd8896563688f15a9545143d221b2f

Score
10/10
ta505

Malware Config

Signatures

  • TA505

    Cybercrime group active since 2015, responsible for families like Dridex and Locky.

    ta505
  • Loads dropped DLL 1 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7af28b6af51c21236e8dae283be35d078a9b412b918a5595bfaa4722231e1af3.xls
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
      "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1536
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 1536
        3⤵
          PID:760

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\carpc1.dll
      Filesize

      80KB

      MD5

      2583a5ed70dcec569898071601682277

      SHA1

      e86b38c221b40d464f07362f8722571ab95fd241

      SHA256

      0683d9f225d54d48081f53abd7d569b32bc153d98157a5a6b763bc3cf57a6ad6

      SHA512

      dade5dba14e96cc379796ba03da926b0157f148bcfbe24085f297bdee7132ccfbea4380da34efc10aed320968376eb0de5ba0fe79b2c4a54a3da6aaff1ee74c2

      Download Submit

    • memory/1168-70-0x00000000007BF000-0x00000000007C3000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1168-57-0x000000007273D000-0x0000000072748000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1168-58-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1168-59-0x000000007273D000-0x0000000072748000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1168-54-0x000000002FFF1000-0x000000002FFF4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1168-69-0x00000000007BF000-0x00000000007C3000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1168-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1168-72-0x0000000006290000-0x0000000006EDA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/1168-73-0x0000000006290000-0x0000000006EDA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/1168-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1168-55-0x0000000071751000-0x0000000071753000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1168-79-0x000000007273D000-0x0000000072748000-memory.dmp

      Filesize

      44KB

      Download