Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:21
Behavioral task
behavioral1
Sample
Cancellation_Letter_1890704928-02242021.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Cancellation_Letter_1890704928-02242021.xls
Resource
win10v2004-20220812-en
General
-
Target
Cancellation_Letter_1890704928-02242021.xls
-
Size
143KB
-
MD5
0d77e619d3652249d3424f46650d85b5
-
SHA1
62983f38e8a5275e3ac30f8a76e8886291c6fd7a
-
SHA256
e6ea08afb1528f524fd091fae173be6aec7d4a02ea13725c547314df7dceff4d
-
SHA512
9fd82d78380816b481b3eb1f1108832e098ce9286e3cc62a7a11931fbdf4047e5ca13023bf4618b5a4f7674b88197eadc1100e81a9965a18c1bda356767182a8
-
SSDEEP
3072:6cPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMFt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/v:6cPiTQAVW/89BQnmlcGvgZ7r3J8YUOMK
Malware Config
Extracted
http://sumonpro.xyz/nseoqnwbbvmc/44955848520486100000.dat
http://vngkinderopvang.nl/rmyjq/44955848520486100000.dat
http://stadt-fuchs.net/gwixglx/44955848520486100000.dat
http://hdmedia.pro/noexyryqori/44955848520486100000.dat
http://www.fernway.com/xjhuljbqv/44955848520486100000.dat
Signatures
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4044 4208 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4256 4208 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3516 4208 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3772 4208 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4816 4208 rundll32.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4208 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEpid process 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE 4208 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 4208 wrote to memory of 4044 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 4044 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 4256 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 4256 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 3516 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 3516 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 3772 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 3772 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 4816 4208 EXCEL.EXE rundll32.exe PID 4208 wrote to memory of 4816 4208 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cancellation_Letter_1890704928-02242021.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\GDAS.UKDSR,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\GDAS.UKDSR1,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\GDAS.UKDSR2,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\GDAS.UKDSR3,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\GDAS.UKDSR4,DllRegisterServer2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\GDAS.UKDSR3Filesize
24KB
MD52f977d5872cb7eb7a560eb0b0a540baf
SHA1c8e2d0134632884763d3922bdae5d1245207259c
SHA2563b8a21beff2c38dad1d682f7876cf1233fd7a8325b99292400828b6d9c4b3c38
SHA51215f89220c95de08df80eeabf3acbfed6490e43df568d3869bf39677819ff017f68a64c986c2bd86aa39b13ad96317f84fcdb6a51e2f1bdb54c3992862b309b69
-
memory/3516-141-0x0000000000000000-mapping.dmp
-
memory/3772-142-0x0000000000000000-mapping.dmp
-
memory/4044-139-0x0000000000000000-mapping.dmp
-
memory/4208-135-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/4208-137-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmpFilesize
64KB
-
memory/4208-138-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmpFilesize
64KB
-
memory/4208-136-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/4208-132-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/4208-134-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/4208-133-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/4256-140-0x0000000000000000-mapping.dmp
-
memory/4816-144-0x0000000000000000-mapping.dmp