Overview

overview

8

Static

static

1

b01a8a2ca3...C.xlam

windows7-x64

8

b01a8a2ca3...C.xlam

windows10-2004-x64

1

Analysis

  • max time kernel
    134s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2023, 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b01a8a2ca3831ecb3566d8d4a59fb5bab02c274f27021ec8491086e9519b4e85_JC.xlam

  • Size

    612KB

  • MD5

    570104a6f9f9f137f422927b10dd8d74

  • SHA1

    0f82d3747e32e1e6b2b9ddeded2449bf6afc5226

  • SHA256

    b01a8a2ca3831ecb3566d8d4a59fb5bab02c274f27021ec8491086e9519b4e85

  • SHA512

    c4e9b9af45723441e76f23b1d2dbdec31f31cc976b17306f5b780f18ef5a808986b35cb3d003ff741531011f0ea28d92b21036406ba8458ca40fc65febdb7088

  • SSDEEP

    12288:Qe1nWJcnuwPryOhSDOtEmhpHmx6edCM4KqXBDRIjRd21HicT:Vsw9S69hNlUCMVqRDRWKJicT

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b01a8a2ca3831ecb3566d8d4a59fb5bab02c274f27021ec8491086e9519b4e85_JC.xlam
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2212
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PWT.vbs"
      2⤵
        PID:2504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\PWT.vbs
      Filesize

      1KB

      MD5

      5343c1a8b203c162a3bf3870d9f50fd4

      SHA1

      04b5b886c20d88b57eea6d8ff882624a4ac1e51d

      SHA256

      dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f

      SHA512

      e0f50acb6061744e825a4051765cebf23e8c489b55b190739409d8a79bb08dac8f919247a4e5f65a015ea9c57d326bbef7ea045163915129e01f316c4958d949

      Download Submit

    • memory/2212-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2212-1-0x000000007268D000-0x0000000072698000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2212-2-0x000000007268D000-0x0000000072698000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2212-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2212-9-0x000000007268D000-0x0000000072698000-memory.dmp

      Filesize

      44KB

      Download