Overview

overview

10

Static

static

8

37be65afd0...ca.xls

windows7-x64

10

37be65afd0...ca.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37be65afd0a78c66d9e4957443c84ea013a6971c521175fd9c698fa16409d9ca.xls

  • Size

    826KB

  • MD5

    42ab5657763256ec9edb0610deac2938

  • SHA1

    1a9dae387f57bc924e52515965c84920bee2fbfc

  • SHA256

    37be65afd0a78c66d9e4957443c84ea013a6971c521175fd9c698fa16409d9ca

  • SHA512

    17762ffe7c7e2da720efdf0924adc9c5250f18e3002b5cc5e1e8db0952f6aa0d89cc22fdb2a7efcd54ff201c1bba17e7ee6dfdb6ad47d8bcbc6d45999651ef1f

  • SSDEEP

    6144:5k3hOdsylKlgryzc4bNhZF+E+W2kQCAH8SD4HW44KwACfnVIGI70:tCCD

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\37be65afd0a78c66d9e4957443c84ea013a6971c521175fd9c698fa16409d9ca.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\load.txtpin.jse"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\load.txtpin.jse
    Filesize

    773KB

    MD5

    4398e68cbe6d058d60bcafb87a543d7a

    SHA1

    f649a164561348dde829c23806f16d7ad55966f0

    SHA256

    a295eaf45edfa37886a49288fc06af0fbd2cf1a41b98a0b0d55beb1e7cc3aff7

    SHA512

    9292c8a3292e155aaab0f2d9a4681174082c8e6fb71d2621d55b71366331091419233ac1405bac3bf0c93362b224f0b63416353f3d906b57ad6493ecf9fb2838

    Download Submit
  • memory/568-99-0x0000000000000000-mapping.dmp
    Download
  • memory/1640-77-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-62-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-79-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-59-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-60-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-61-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-63-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-78-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-64-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-65-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-67-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-66-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-54-0x000000002FCB1000-0x000000002FCB4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1640-69-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-71-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-72-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-73-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-74-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-75-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-76-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-68-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-57-0x0000000071E5D000-0x0000000071E68000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1640-58-0x0000000075071000-0x0000000075073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1640-81-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-82-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-83-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-84-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-85-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-86-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-87-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-88-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-89-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-92-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-93-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-91-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-97-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-98-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-96-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-95-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-94-0x0000000000712000-0x0000000000716000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1640-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1640-55-0x0000000070E71000-0x0000000070E73000-memory.dmp
    Filesize

    8KB

    Download