Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
03-11-2022 16:45
Behavioral task
behavioral1
Sample
f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab.xls
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab.xls
Resource
win10-20220901-en
General
-
Target
f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab.xls
-
Size
217KB
-
MD5
8a8e7a345463f9c84c094d99aa3f23a1
-
SHA1
90951630600ff85cdf5ce3a0554044ddc4f9b6dd
-
SHA256
f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab
-
SHA512
d7fe557e9e5e5939eaf9ad273a8563c8a828b06c263e2248a2906cfab2b0be312988348e1115638ff6f044e3df66743709ee27fe177fa0bc4b076d90155ff240
-
SSDEEP
6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg8yY+TAQXTHGUMEyP5p6f5jQmB:nbGUMVWlbB
Malware Config
Extracted
http://kabaruntukrakyat.com/wp-content/B9oJ0jh/
http://coinkub.com/wp-content/WwrJvjumS/
https://aberractivity.hu/iqq/Dmtv/
https://anamafegarcia.es/css/HfFXMTXvc40t/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4852 2744 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1948 2744 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4972 2744 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1044 2744 regsvr32.exe 65 -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
pid Process 4852 regsvr32.exe 1948 regsvr32.exe 4972 regsvr32.exe 1044 regsvr32.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrYuUcPv.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MHLNvMlEKlxqKWb\\yrYuUcPv.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfSH.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\McCuFlwdKDQehQz\\XfSH.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NyDLD.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\HMvMelv\\NyDLD.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnCmJY.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\Lzlpc\\nnCmJY.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2744 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4852 regsvr32.exe 4852 regsvr32.exe 4772 regsvr32.exe 4772 regsvr32.exe 4772 regsvr32.exe 4772 regsvr32.exe 1948 regsvr32.exe 1948 regsvr32.exe 4568 regsvr32.exe 4568 regsvr32.exe 4568 regsvr32.exe 4568 regsvr32.exe 4972 regsvr32.exe 4972 regsvr32.exe 1236 regsvr32.exe 1236 regsvr32.exe 1236 regsvr32.exe 1236 regsvr32.exe 1044 regsvr32.exe 1044 regsvr32.exe 3304 regsvr32.exe 3304 regsvr32.exe 3304 regsvr32.exe 3304 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2744 wrote to memory of 4852 2744 EXCEL.EXE 68 PID 2744 wrote to memory of 4852 2744 EXCEL.EXE 68 PID 4852 wrote to memory of 4772 4852 regsvr32.exe 70 PID 4852 wrote to memory of 4772 4852 regsvr32.exe 70 PID 2744 wrote to memory of 1948 2744 EXCEL.EXE 71 PID 2744 wrote to memory of 1948 2744 EXCEL.EXE 71 PID 1948 wrote to memory of 4568 1948 regsvr32.exe 72 PID 1948 wrote to memory of 4568 1948 regsvr32.exe 72 PID 2744 wrote to memory of 4972 2744 EXCEL.EXE 73 PID 2744 wrote to memory of 4972 2744 EXCEL.EXE 73 PID 4972 wrote to memory of 1236 4972 regsvr32.exe 74 PID 4972 wrote to memory of 1236 4972 regsvr32.exe 74 PID 2744 wrote to memory of 1044 2744 EXCEL.EXE 75 PID 2744 wrote to memory of 1044 2744 EXCEL.EXE 75 PID 1044 wrote to memory of 3304 1044 regsvr32.exe 76 PID 1044 wrote to memory of 3304 1044 regsvr32.exe 76
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MHLNvMlEKlxqKWb\yrYuUcPv.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\McCuFlwdKDQehQz\XfSH.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\HMvMelv\NyDLD.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\Lzlpc\nnCmJY.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3304
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD59e91b55835fbcdf5878ad5ec2d9d299a
SHA1408df88388229ced5370c15a145c9d9b66e3a0ac
SHA25623055980f5cd3b756872d9ce8308146c403da3c9e327e3beba01b601f95714b6
SHA512af94a001bc789f7e470ea038e8f50cbc4feed4622623d348b4b874200864d5c6ad99ed0eee7b71c504296c9bbf84d6343c2030b0921ef79a51df89530f136e5c
-
Filesize
712KB
MD5e69dd625ebd0bc7768ca1ba163284ee9
SHA1f911d3f3874e906bef1acb9e610f4c742de8aed8
SHA2563c5172e7f642cfcc0586ae723ff4cd575f8bec7f5e23a32afb4411459c6012f4
SHA512b3ed4b63372fb8bdf63972bf4c29cceb0c48f6a9f05408de368ad5fd5f0be1a5fdcde279b428b5cd9f0d6383c3b5fa3a5561bbaf57f052c6a53c63ecc7f6a973
-
Filesize
712KB
MD54c74f8644a26ff92259a5b0ec9590f34
SHA10634e2308acf3a88731ea139c193d8af8dc5c665
SHA256d0073edccc4b6ff39184c5dea36bd2d419277ffaa435aadcd06bb6f69b759dc3
SHA512e4482d60d402f7e1c7c54f43b9ad2a76068b1639314f5549d2d9228aa8410c9797e50ca7d3fcdc0b3a857a2d261a82f244cd9d9e30939dd50124360ec015a099
-
Filesize
712KB
MD5d42f08e457604a2d7c005b5027aa9865
SHA10f25c799fabd98572bd3b3df5fa4f5661bfbeeb2
SHA2563bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec
SHA51228f489d208cb4958e05c8a7e7b08fc99149596883de410eab0291d0d3802cf619f4e0b295e99b2d2a6cde217a40186d52bc1bf5a3a113ad146f4e30def44570c
-
Filesize
712KB
MD59e91b55835fbcdf5878ad5ec2d9d299a
SHA1408df88388229ced5370c15a145c9d9b66e3a0ac
SHA25623055980f5cd3b756872d9ce8308146c403da3c9e327e3beba01b601f95714b6
SHA512af94a001bc789f7e470ea038e8f50cbc4feed4622623d348b4b874200864d5c6ad99ed0eee7b71c504296c9bbf84d6343c2030b0921ef79a51df89530f136e5c
-
Filesize
712KB
MD5e69dd625ebd0bc7768ca1ba163284ee9
SHA1f911d3f3874e906bef1acb9e610f4c742de8aed8
SHA2563c5172e7f642cfcc0586ae723ff4cd575f8bec7f5e23a32afb4411459c6012f4
SHA512b3ed4b63372fb8bdf63972bf4c29cceb0c48f6a9f05408de368ad5fd5f0be1a5fdcde279b428b5cd9f0d6383c3b5fa3a5561bbaf57f052c6a53c63ecc7f6a973
-
Filesize
712KB
MD54c74f8644a26ff92259a5b0ec9590f34
SHA10634e2308acf3a88731ea139c193d8af8dc5c665
SHA256d0073edccc4b6ff39184c5dea36bd2d419277ffaa435aadcd06bb6f69b759dc3
SHA512e4482d60d402f7e1c7c54f43b9ad2a76068b1639314f5549d2d9228aa8410c9797e50ca7d3fcdc0b3a857a2d261a82f244cd9d9e30939dd50124360ec015a099
-
Filesize
712KB
MD5d42f08e457604a2d7c005b5027aa9865
SHA10f25c799fabd98572bd3b3df5fa4f5661bfbeeb2
SHA2563bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec
SHA51228f489d208cb4958e05c8a7e7b08fc99149596883de410eab0291d0d3802cf619f4e0b295e99b2d2a6cde217a40186d52bc1bf5a3a113ad146f4e30def44570c