Overview

overview

8

Static

static

8

2339fed4b7...16.xls

windows7-x64

3

2339fed4b7...16.xls

windows10-2004-x64

3

Resubmissions

24-11-2022 06:51

221124-hmxkcaab5t 8

Analysis

  • max time kernel
    115s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516.xls

  • Size

    2.9MB

  • MD5

    fac06f63a30fcef45c3e7763442ed2ac

  • SHA1

    c968479775090d6e6a0e8c4f64f4abedd30d1031

  • SHA256

    2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516

  • SHA512

    cdc47aad19c03254aadc67df1486622029d2f7bae1b5ad717b966bdac193668b82edaf8bb09acc05b37d4299455ba90dc17f9ea937e139e701b4b5f0cea1a442

  • SSDEEP

    49152:U9pINpEYW5CFdwR3t1bqIMFDBj2XGjP/q+QxMO8w4Cfu2gwkOl0AyA:UzPIdwRPXy28/q+QxMOj3u2pkA0AX

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1776
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A10DD7CB-8DA9-441B-828B-3B5069AEF61E} S-1-5-21-575491160-2295418218-1540667289-1000:VZODHOJJ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\SYSTEM32\cmd.exe
      C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\pbs.bat"
      2⤵
        PID:300
      • C:\Windows\SYSTEM32\cmd.exe
        C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Music\pbs.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\system32\cscript.exe
          cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
          3⤵
          • Suspicious use of FindShellTrayWindow
          PID:1468
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn Tls_SSL /f
          3⤵
            PID:1692

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_.vbs
        Filesize

        394B

        MD5

        60b24b37aa7903b56417dd58bbebe79d

        SHA1

        f9903905822f5137daaf9b4c4e4ee77c7fa30d0c

        SHA256

        1eed3b5fb6950cfa605fd9e9842327b1fe1d123cb8a34d84bc1b778501288e4f

        SHA512

        8c350e94eeae83044a3ff38c0e5602c6869f968e8f46815d96ad22b53b13b5e12a2a0e5de163f537d7d13f67f2c5897f0fb71c0c1c4b89ab313d5ad246cf7c4f

        Download Submit
      • C:\Users\Public\Music\comd.pdf
        Filesize

        22KB

        MD5

        06e0d216969caa0dfd98269a860b153b

        SHA1

        5538a829186be3726ecc4f74a33a0eba65ba5246

        SHA256

        436228793e46a3ce7d96b08881c1e80e36c78d6877d0f1b8d34f15d541685441

        SHA512

        7c8e8b1a07dc963f304be3c36f2ee1ae53e396a7baf78c641088545f2ff77b20dd7c8dd9d8910a23b43a2f5b5fc0e76e5be528dad749a846e9a6437ca6b0375d

        Download Submit
      • C:\Users\Public\Music\comd.zip
        Filesize

        6KB

        MD5

        bc70155ae15384745ed54c75e64a742c

        SHA1

        fd395c0a97a2d9bbf2b81e340bde3d9ec343b1da

        SHA256

        bccd012a10654274fc9e8fe29ba1326c97ccbea4c5567799edc1444d94ad265d

        SHA512

        3c554df9dd621d4b0252bd257532fe1850683618d0e41cd3ca495c21cc6315905b20a548d328782c2f36065b6591a7458c447af478345217ef79b97979167f69

        Download Submit
      • C:\Users\Public\Music\pbs.bat
        Filesize

        806B

        MD5

        09c4c9515e23983c547900f8485b42aa

        SHA1

        1554e3394cde60e8098698d07b1adf4855c93f11

        SHA256

        d04eb5c19554dc86d2b717bf09b2f3eac545923165426df6630ad4b3e9788f73

        SHA512

        9b101eba85a4eb73b669b7fb6d8ff61d9ea9587df82257889f4dcd60556b2b01534a56eaa48e1a51eb82584419deebba2e036101100d5d41d8d352e76233a644

        Download Submit
      • memory/300-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1468-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1468-81-0x000007FEFC011000-0x000007FEFC013000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1692-86-0x0000000000000000-mapping.dmp
        Download
      • memory/1700-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1776-57-0x0000000075E61000-0x0000000075E63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1776-58-0x00000000727ED000-0x00000000727F8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1776-54-0x000000002FCB1000-0x000000002FCB4000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1776-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1776-83-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1776-84-0x00000000727ED000-0x00000000727F8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1776-55-0x0000000071801000-0x0000000071803000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1776-75-0x00000000727ED000-0x00000000727F8000-memory.dmp
        Filesize

        44KB

        Download