Analysis
-
max time kernel
35s -
max time network
39s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
25-01-2023 11:02
General
-
Target
Form.xls
-
Size
91KB
-
MD5
40b76012b8b6529ecf8351125ac25173
-
SHA1
f9daf8fefcf0013c84a67fb0d1f8b6c9310d8165
-
SHA256
e43a3e22c345838254d967e5523d858e4049018eaee4f1ab5bfc8467c62e17ab
-
SHA512
c2dc3c35a809dd3d151660079cf2ba01fb2be917236dc2bc1c1134b9327cebd21e3195b6964f639e7e09975844e8a0cc3cb5e8e87481e92a11140bbf0ddf4061
-
SSDEEP
1536:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg4bCXuZH4gb4CEn9J4ZTrX:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg8
Malware Config
Extracted
http://www.vinyz.com/cache/rqWV/
http://yuanliao.raluking.com/1eq5o7/gHrTM8YilZz0quKt/
https://akarweb.net/cgi-bin/CL13tGXI/
http://www.bdbg.es/css/DDm7o71vWtTs/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEPID:1532"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Form.xls"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of FindShellTrayWindowSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exePID:3972C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxxProcess spawned unexpected child process
-
C:\Windows\System32\regsvr32.exePID:4720C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxxProcess spawned unexpected child process
-
C:\Windows\System32\regsvr32.exePID:4660C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxxProcess spawned unexpected child process
-
C:\Windows\System32\regsvr32.exePID:4596C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxxProcess spawned unexpected child process
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\elv2.ooocccxxxFilesize
8KB
MD5b30db89a08a31c8747a5a191cb449f71
SHA1e2a46f963bd29b791a8fd45f06eba2681f02fd90
SHA2562827c35c694336607536bc3439e4e28a5ead21722452dceebfde730f2a445e67
SHA5120fd71e4f61c339cd9d2d803449e763562da525dbc75f55cbcdc85d15f5f032c95c22628e8d5bcd811b43522b44b2e0e29ace44023a1690ea3153345a9b1f2cd1
-
memory/1532-120-0x00007FFF48C50000-0x00007FFF48C60000-memory.dmpFilesize
64KB
-
memory/1532-121-0x00007FFF48C50000-0x00007FFF48C60000-memory.dmpFilesize
64KB
-
memory/1532-122-0x00007FFF48C50000-0x00007FFF48C60000-memory.dmpFilesize
64KB
-
memory/1532-123-0x00007FFF48C50000-0x00007FFF48C60000-memory.dmpFilesize
64KB
-
memory/1532-132-0x00007FFF45D20000-0x00007FFF45D30000-memory.dmpFilesize
64KB
-
memory/1532-133-0x00007FFF45D20000-0x00007FFF45D30000-memory.dmpFilesize
64KB
-
memory/3972-254-0x0000000000000000-mapping.dmp
-
memory/4596-266-0x0000000000000000-mapping.dmp
-
memory/4660-264-0x0000000000000000-mapping.dmp
-
memory/4720-258-0x0000000000000000-mapping.dmp