Overview

overview

10

Static

static

8

2c51b60afd...5a.xls

windows7-x64

10

2c51b60afd...5a.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a.xls

  • Size

    22KB

  • MD5

    013c90d7a07e365e82fd8ed0103efbe9

  • SHA1

    cf103af76d477d41d25b549c3a17569382631171

  • SHA256

    2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a

  • SHA512

    37777260556137d7a611a4702cfc91a66a993a58488c17735858fea027a15b0d9c788c38d687b56bfb9446d2d5a143624d6914a78a5d395692aac04e5ca7e00d

  • SSDEEP

    192:gx5Hh439gyLPUVWYqJo+kIy1PfT468H/y/VDCnnQn1bcYDHBjFNjZDa6X:I7WYqJofIypL46QaNGnQn1oYDHBp

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\windows.vbs"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\windows.vbs
    Filesize

    5KB

    MD5

    14c05d47ae9cd4cacd336604eed770cb

    SHA1

    8b2137d85a7b593b81dd48f62a3a47659aa0799a

    SHA256

    9d8af90ce1ad861305de4da0dcdb0253e51b164a505e6b126492413fc0ceb5ef

    SHA512

    8f12c44917ba6ca5d02494a247256aa5110d753b272df5595df8e6905e68af122c290f11fd0366994b5b05a997dc8723b498b4bf13e2bbd88dd72158e6453ba9

    Download Submit
  • memory/112-54-0x000000002F021000-0x000000002F024000-memory.dmp
    Filesize

    12KB

    Download
  • memory/112-55-0x0000000071931000-0x0000000071933000-memory.dmp
    Filesize

    8KB

    Download
  • memory/112-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/112-57-0x000000007291D000-0x0000000072928000-memory.dmp
    Filesize

    44KB

    Download
  • memory/112-58-0x00000000768A1000-0x00000000768A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/112-75-0x000000007291D000-0x0000000072928000-memory.dmp
    Filesize

    44KB

    Download
  • memory/112-79-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/112-80-0x000000007291D000-0x0000000072928000-memory.dmp
    Filesize

    44KB

    Download
  • memory/580-76-0x0000000000000000-mapping.dmp
    Download