69ab644fb35bff52b9fb5b4d8cff404ea4269d01a0dc34ab7bac1fd9e353ef09

General

Target

inv1535.xls
Size

41KB
MD5

a25f16b71feac96810800c7d281a93d8
SHA1

e5d716e4d3687e79e99a70607bcbcec37ebfa73d
SHA256

69ab644fb35bff52b9fb5b4d8cff404ea4269d01a0dc34ab7bac1fd9e353ef09
SHA512

36e1890c5f269af77af20639048866267aec0d3d6a5184a35d89f7fd7c62a6406ea485801760b8301a8fcf73202c597499b061cb547f5ba37282b8be6c3c88bf

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://hacemosmarketingdigital.com.ar/6bbktc.php

xlm40.dropper

https://heimat-harz.com/zgwykq.php

xlm40.dropper

https://hgt.vaduni.vn/tjxxhk.php

xlm40.dropper

https://hoanggiang.tk/kgqbsf.php

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1156	1096	explorer.exe	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

592 reg.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE

pid	process
592	reg.exe

pid	process
1096	EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EXCEL.EXEexplorer.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 1156	1096	EXCEL.EXE	explorer.exe
PID 1096 wrote to memory of 1156	1096	EXCEL.EXE	explorer.exe
PID 1096 wrote to memory of 1156	1096	EXCEL.EXE	explorer.exe
PID 1096 wrote to memory of 1156	1096	EXCEL.EXE	explorer.exe
PID 2036 wrote to memory of 1840	2036	explorer.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	explorer.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	explorer.exe	cmd.exe
PID 1840 wrote to memory of 592	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 592	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 592	1840	cmd.exe	reg.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inv1535.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\System32\cmd.exe
2⤵
- Process spawned unexpected child process
PID:1156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Office\14.0\Excel\Security /v VBAWarnings
3⤵
- Modifies registry key
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\R9SjPU.txt
MD5
27e2e68a9c88a4d1b9c7003f93382589

SHA1
922ee44627d6044eafe5ad3cd4c94eb1e35be049

SHA256
d8541ef8691e913c8a6c794cfef8cc608bcce7fdbe677e22d1921701edbb8c04

SHA512
8a0c4efa26bdb0114f010a5c1130f20fc80c6aa59d545473d285a226e9963a7fea8ad1314fbbfae132859c256b8690f0fd1751473fe08014f582164a61d880c5

Download Submit
memory/592-4-0x0000000000000000-mapping.dmp

Download
memory/1156-2-0x0000000000000000-mapping.dmp

Download
memory/1328-6-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp

Filesize
2.5MB

Download
memory/1840-3-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads