024ef55d8112d913021e2f8e38294052c40d177062afebc1b462f396c86c297b

Resubmissions

29/01/2024, 04:39

240129-e973taabe9 10

29/01/2024, 02:55

29/01/2024, 01:55

29/01/2024, 01:50

29/01/2024, 01:26

Analysis

max time kernel
128s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
29/01/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

excel40macroschallenge.rar
Size

103KB
MD5

542ead021ed9ecab2f5b6ff0edaf2f74
SHA1

f1a509cb6dc15534a0b7ee29486789557a434941
SHA256

024ef55d8112d913021e2f8e38294052c40d177062afebc1b462f396c86c297b
SHA512

d2e1514a891db86ec6275ffcb6f44503cedf9e4560d200eeefc3fe047e08c7769de1892b92ee71fe4663720652eb509a55c29e24e82d6deb8dbe5a741cd9cb95
SSDEEP

1536:r6diRoyzKi0WAx5elOHwxvhuQcLE6/Q59VGqITfVuy03FD+/mUtzBxr:xutnmOQxvqEPHVZILVK1D+eUtX

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://nws.visionconsulting.ro/N1G1KCXA/dot.html

xlm40.dropper

https://royalpalm.sparkblue.lk/vCNhYrq3Yg8/dot.html

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4516	3932	regsvr32.exe	76
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2888	3932	regsvr32.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zFM.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3932	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1376	7zFM.exe
Token: 35	1376	7zFM.exe
Token: SeSecurityPrivilege	1376	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1376	7zFM.exe
1376	7zFM.exe
3932	EXCEL.EXE
3932	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1376	2220	cmd.exe	73
PID 2220 wrote to memory of 1376	2220	cmd.exe	73
PID 3932 wrote to memory of 4516	3932	EXCEL.EXE	80
PID 3932 wrote to memory of 4516	3932	EXCEL.EXE	80
PID 3932 wrote to memory of 2888	3932	EXCEL.EXE	81
PID 3932 wrote to memory of 2888	3932	EXCEL.EXE	81

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\excel40macroschallenge.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\excel40macroschallenge.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1376

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\research-1646684671.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32 -s ..\iroto.dll
  2⤵
  - Process spawned unexpected child process
  PID:4516
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32 -s ..\iroto1.dll
  2⤵
  - Process spawned unexpected child process
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
690B

MD5
4f65566bbf2cd913d306dea24f9076e1

SHA1
6961a3f405f8a33d0900fe2a9b1713aa7077d154

SHA256
6b3b849cbe41f683c22abe60a08c9675df7bd463cfb01ae29624254c83d21ccc

SHA512
4791745224e3183ad2b1a557e6f3141fe2de901d6936e88f5d6727a4ed9ba527e2500a2ee8917065ffc756adb69299afab2bd531248c6a320e6fe4bf7eaf21f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\Desktop\research-1646684671.xls

Filesize
648KB

MD5
db2f24ae228c4ece8f845aec035b7686

SHA1
324b4e86c90d4cd208dde4555c0fd4ed58b4c1bc

SHA256
c27fea8d9767c9cfbbe6669b9e1c7c4adf614f8dfe7d3e5beb3d68e9817fa274

SHA512
6fcf4a50179bc2fddc7aad813c10b113ae2c529d7feb3dd74ee739b30ddcdf9c86e7d7924d05107b2e925f1bbc5a1bd03467a33082243962565b9ddca3b607b2

Download Submit
C:\Users\Admin\iroto.dll

Filesize
1KB

MD5
d8e6ca059aa30b2aacb1696322b32b40

SHA1
48b9068177f780c36cf291fbaff0b583c62701be

SHA256
d0a81f2b09ba36598ab1439b10681c631a778232bf91ad9decc61444f4cadb71

SHA512
e6bf6e51c24c3de8e9353b454ab8c210d56148292168a28c609300186a489dab9a1db9381c4786de3915a81095dfa489973af07436a8336f13907ba3f7055663

Download Submit
memory/3932-22-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-25-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-11-0x00007FF827760000-0x00007FF827770000-memory.dmp

Filesize
64KB

Download
memory/3932-16-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-14-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-17-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-18-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-19-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-21-0x00007FF824870000-0x00007FF824880000-memory.dmp

Filesize
64KB

Download
memory/3932-20-0x00007FF865210000-0x00007FF8652BE000-memory.dmp

Filesize
696KB

Download
memory/3932-6-0x00007FF827760000-0x00007FF827770000-memory.dmp

Filesize
64KB

Download
memory/3932-23-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-24-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-12-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-26-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-27-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-28-0x00007FF865210000-0x00007FF8652BE000-memory.dmp

Filesize
696KB

Download
memory/3932-29-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-30-0x00007FF824870000-0x00007FF824880000-memory.dmp

Filesize
64KB

Download
memory/3932-10-0x00007FF827760000-0x00007FF827770000-memory.dmp

Filesize
64KB

Download
memory/3932-9-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-8-0x00007FF827760000-0x00007FF827770000-memory.dmp

Filesize
64KB

Download
memory/3932-7-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-225-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-226-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download
memory/3932-227-0x00007FF865210000-0x00007FF8652BE000-memory.dmp

Filesize
696KB

Download
memory/3932-228-0x00007FF8676D0000-0x00007FF8678AB000-memory.dmp

Filesize
1.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads