Overview

overview

10

Static

static

8

SecuriteIn...34.xls

windows7-x64

10

SecuriteIn...34.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2022 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.XLM.Trojan.Abracadabra.35.Gen.22744.9734.xls

  • Size

    280KB

  • MD5

    163633435ad30c62d8d13c2637bb90c8

  • SHA1

    18d75ca1a521a376700e1849812a2517bb8afd1a

  • SHA256

    b2206970ff901ea3cf498aac5c746394c96477e1f61e507d6717c07f285e783e

  • SHA512

    a6d3ff54e525bc0829086a80a3b963f54f36bbcad4bc4ad819a69612a913a4997e159775480e36e9339a9d93c9e0776d27e774974153ae44096ee38052db2cfd

  • SSDEEP

    6144:6cPiTQAVW/89BQnmlcGvgZ7rDjo8UOMzJK+tfq5M:5pC

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://deluciaspizza.com/netmouser.dll

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.XLM.Trojan.Abracadabra.35.Gen.22744.9734.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\fndskfnds.dfm,StartW
      2⤵
      • Process spawned unexpected child process
      PID:2124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\fndskfnds.dfm
    Filesize

    1KB

    MD5

    fccf52fa4425baedefa90b77501400ee

    SHA1

    868863f9696f2692e2a86e2a067f268179b3b4ce

    SHA256

    9166f53a0dfd1d425365aad86feb3f379bd4d4bfa1658ea18f9ddb74032596b2

    SHA512

    5c490e92cabc6988a6837d4ef07027d3032da6527163995341eac9df2aa8e1292107a596d70215c1127237f40bb470b14e436c7e998bfcf9809f4f36db0686fe

    Download Submit

  • memory/1888-132-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-133-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-134-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-135-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-136-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-137-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-138-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-139-0x0000000000000000-mapping.dmp

    Download