Overview

overview

10

Static

static

8

2023-03-10...ed.xls

windows7-x64

10

2023-03-10...ed.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2023 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-03-10-04c8640612e13344dffb70fccddb8ac9_unzipped.xls

  • Size

    60KB

  • MD5

    04c8640612e13344dffb70fccddb8ac9

  • SHA1

    282981b58026f705047e8c8f007f03dbd9839e1d

  • SHA256

    324ac77fc10576ee2f4d22d75cfef4b40062e69dae7a0095ff66d47c7df9729b

  • SHA512

    85094b29a5d473e4a34574af7a12366e977a0ef36246b8d6fef63b35f5b818c3e3a4801130c63e862b571569344f7c672870b222d414c354b712b6e420a64fa1

  • SSDEEP

    1536:tpKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgaDOJiA6Cv/UGLI36yOAZE8q:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgx

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://nazreghadir.ir/wp-includes/kaiSEoHGa/
xlm40.dropper

https://mass-gardinen-shop.de/css/AHE8baLiW/
xlm40.dropper

http://kbmpti.filkom.ub.ac.id/config/LdgfVAaCy/
xlm40.dropper

http://www.hangaryapi.com.tr/wp-admin/E1gb6ognvvn8HX/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2023-03-10-04c8640612e13344dffb70fccddb8ac9_unzipped.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scd1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:560
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scd2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:888
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scd3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:836
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scd4.ocx
      2⤵
      • Process spawned unexpected child process
      PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\scd1.ocx
    Filesize

    644B

    MD5

    593baf5a52f7c07668e9134b0e7c0651

    SHA1

    fb878e74a03408aef11aa828a3ffbca18632185b

    SHA256

    47f0814af9b03e076eb8bd630d850b5c69b0f6f4bdef2e9ce33dfb60f529f079

    SHA512

    bfad9e51dabf3c576cac344263fba9b406a92adb5d8615a769e743983fd28d8b36bf7696f6f31dfce639d3461e7193be9832b10b3693b77f6cfa235fe34a2968

    Download Submit
  • C:\Users\Admin\scd3.ocx
    Filesize

    281B

    MD5

    a0918d6d8f784e2104fc35159bc58de5

    SHA1

    3e99661c21ff89c4cf10f31f71e85d6a7e3cede9

    SHA256

    4c0ddf16ea95cb4329387537680899261a16a91132a27dc27734a02b57d4a940

    SHA512

    da71ac211a7b10d44105c42dcbc19985954b9e899f23f3b44789fcb5a3c99709d06cec532babc4581270ff685f0bd3b1413cc2f0d47ee9624fb4623f71b26ff6

    Download Submit
  • memory/1724-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download