Overview

overview

10

Static

static

8

781235d1ca...6e.xls

windows7-x64

10

781235d1ca...6e.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    241s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    781235d1ca9b542ec2657113d3471a5cfd4cf7b0d0d531d04696ea27735d4e6e.xls

  • Size

    150KB

  • MD5

    4554c09a6eeb2c46b74d94283b25627b

  • SHA1

    1a255760e8343225accffe055bdf173402bef643

  • SHA256

    781235d1ca9b542ec2657113d3471a5cfd4cf7b0d0d531d04696ea27735d4e6e

  • SHA512

    b0eab1403f462f584763422d6447c3e583ed8016b3c64d0f26fc8c2f70e20b89878d20f3c41395e78eaa87bec98a928f79176af825ac50f150681204f0e2465c

  • SSDEEP

    3072:ABJuRoPuNXoJbXd0QdAgAG3EOSq6/cgfpUCIdf2jcc0lbxOKTDgq:GJuRoPuNXoJbXd0QdAgAG3EOSq6/cgfs

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\781235d1ca9b542ec2657113d3471a5cfd4cf7b0d0d531d04696ea27735d4e6e.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\SysWOW64\attrib.exe
          attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
          3⤵
          • Views/modifies file attributes
          PID:932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
        2⤵
        • Process spawned unexpected child process
        PID:1312
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
        2⤵
        • Process spawned unexpected child process
        PID:336

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/860-225-0x0000000005590000-0x0000000005690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/860-55-0x0000000071611000-0x0000000071613000-memory.dmp

      Filesize

      8KB

      Download

    • memory/860-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/860-57-0x00000000725FD000-0x0000000072608000-memory.dmp

      Filesize

      44KB

      Download

    • memory/860-58-0x0000000076391000-0x0000000076393000-memory.dmp

      Filesize

      8KB

      Download

    • memory/860-227-0x0000000005590000-0x0000000005690000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/860-54-0x000000002F881000-0x000000002F884000-memory.dmp

      Filesize

      12KB

      Download

    • memory/860-226-0x00000000725FD000-0x0000000072608000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-60-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

      Filesize

      8KB

      Download