Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 03:08
Behavioral task
behavioral1
Sample
273_096.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
273_096.xls
Resource
win10v2004-20221111-en
General
-
Target
273_096.xls
-
Size
255KB
-
MD5
4a39482f8109165a29e5f2982c57a895
-
SHA1
1bd892084eb45b67781ec482c9e4e5e860241b32
-
SHA256
3809cb404f536733812960e2c738de5fded540678064ff026583e48e4f7b3025
-
SHA512
d7e8f5361a9e9b82b2f51dd62e570659719ad34079db8d355e852760cd97974efc74315ff0cee5e611fa8b5528468f34b2dbf9205e40371a89b97752c7e77261
-
SSDEEP
6144:6Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgUNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSd:YNbDjP9XH5XIqZLnSd
Malware Config
Extracted
http://demarsoft.com/ALPHAINSTALLS.US/lTsjpA6/
http://clockworktradeservices.com/wp-admin/uFRWXkuTnDAbQtIO/
http://cloudxml.com.br/L45R4qJJFH/ESXAIhm/
https://copunupo.ac.zm/cgi-bin/bNoAgU9/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2996 1068 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4832 1068 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5084 1068 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2664 1068 regsvr32.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1068 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1068 wrote to memory of 2996 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 2996 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 4832 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 4832 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 5084 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 5084 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 2664 1068 EXCEL.EXE regsvr32.exe PID 1068 wrote to memory of 2664 1068 EXCEL.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\273_096.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\oxnv2.ooccxxFilesize
6KB
MD52826b1e7af14a75fee51d4e4534eeff5
SHA1c9eab9b2b15cffc0273b3f8d197007b025018838
SHA2568cc3fe518e10bfedd841106b51a5b0fbc337161cfc4d7360db0436ee9d1a68e5
SHA5121c77d4a9ede815b53df07220742e43a180097f066be9a6c3ac22f573910955ddb0047700f9f277bd6c794d8560865ad28cf58de40bb1f939ea4c8cf7f28ba39e
-
memory/1068-132-0x00007FFFB73D0000-0x00007FFFB73E0000-memory.dmpFilesize
64KB
-
memory/1068-133-0x00007FFFB73D0000-0x00007FFFB73E0000-memory.dmpFilesize
64KB
-
memory/1068-134-0x00007FFFB73D0000-0x00007FFFB73E0000-memory.dmpFilesize
64KB
-
memory/1068-135-0x00007FFFB73D0000-0x00007FFFB73E0000-memory.dmpFilesize
64KB
-
memory/1068-136-0x00007FFFB73D0000-0x00007FFFB73E0000-memory.dmpFilesize
64KB
-
memory/1068-137-0x00007FFFB4A70000-0x00007FFFB4A80000-memory.dmpFilesize
64KB
-
memory/1068-138-0x00007FFFB4A70000-0x00007FFFB4A80000-memory.dmpFilesize
64KB
-
memory/2664-143-0x0000000000000000-mapping.dmp
-
memory/2996-139-0x0000000000000000-mapping.dmp
-
memory/4832-140-0x0000000000000000-mapping.dmp
-
memory/5084-142-0x0000000000000000-mapping.dmp