Resubmissions
29/01/2024, 04:39
240129-e973taabe9 1029/01/2024, 02:55
240129-dew7dshgep 1029/01/2024, 01:55
240129-ccg41sfdf2 1029/01/2024, 01:50
240129-b9jhnsgham 329/01/2024, 01:26
240129-bts26sfaa4 10Analysis
-
max time kernel
128s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
29/01/2024, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
excel40macroschallenge.rar
Resource
win10-20231215-en
General
-
Target
excel40macroschallenge.rar
-
Size
103KB
-
MD5
542ead021ed9ecab2f5b6ff0edaf2f74
-
SHA1
f1a509cb6dc15534a0b7ee29486789557a434941
-
SHA256
024ef55d8112d913021e2f8e38294052c40d177062afebc1b462f396c86c297b
-
SHA512
d2e1514a891db86ec6275ffcb6f44503cedf9e4560d200eeefc3fe047e08c7769de1892b92ee71fe4663720652eb509a55c29e24e82d6deb8dbe5a741cd9cb95
-
SSDEEP
1536:r6diRoyzKi0WAx5elOHwxvhuQcLE6/Q59VGqITfVuy03FD+/mUtzBxr:xutnmOQxvqEPHVZILVK1D+eUtX
Malware Config
Extracted
https://nws.visionconsulting.ro/N1G1KCXA/dot.html
https://royalpalm.sparkblue.lk/vCNhYrq3Yg8/dot.html
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4516 3932 regsvr32.exe 76 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2888 3932 regsvr32.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 7zFM.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3932 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1376 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1376 7zFM.exe Token: 35 1376 7zFM.exe Token: SeSecurityPrivilege 1376 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1376 7zFM.exe 1376 7zFM.exe 3932 EXCEL.EXE 3932 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1376 2220 cmd.exe 73 PID 2220 wrote to memory of 1376 2220 cmd.exe 73 PID 3932 wrote to memory of 4516 3932 EXCEL.EXE 80 PID 3932 wrote to memory of 4516 3932 EXCEL.EXE 80 PID 3932 wrote to memory of 2888 3932 EXCEL.EXE 81 PID 3932 wrote to memory of 2888 3932 EXCEL.EXE 81
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\excel40macroschallenge.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\excel40macroschallenge.rar"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1376
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\research-1646684671.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 -s ..\iroto.dll2⤵
- Process spawned unexpected child process
PID:4516
-
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 -s ..\iroto1.dll2⤵
- Process spawned unexpected child process
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize690B
MD54f65566bbf2cd913d306dea24f9076e1
SHA16961a3f405f8a33d0900fe2a9b1713aa7077d154
SHA2566b3b849cbe41f683c22abe60a08c9675df7bd463cfb01ae29624254c83d21ccc
SHA5124791745224e3183ad2b1a557e6f3141fe2de901d6936e88f5d6727a4ed9ba527e2500a2ee8917065ffc756adb69299afab2bd531248c6a320e6fe4bf7eaf21f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
Filesize
648KB
MD5db2f24ae228c4ece8f845aec035b7686
SHA1324b4e86c90d4cd208dde4555c0fd4ed58b4c1bc
SHA256c27fea8d9767c9cfbbe6669b9e1c7c4adf614f8dfe7d3e5beb3d68e9817fa274
SHA5126fcf4a50179bc2fddc7aad813c10b113ae2c529d7feb3dd74ee739b30ddcdf9c86e7d7924d05107b2e925f1bbc5a1bd03467a33082243962565b9ddca3b607b2
-
Filesize
1KB
MD5d8e6ca059aa30b2aacb1696322b32b40
SHA148b9068177f780c36cf291fbaff0b583c62701be
SHA256d0a81f2b09ba36598ab1439b10681c631a778232bf91ad9decc61444f4cadb71
SHA512e6bf6e51c24c3de8e9353b454ab8c210d56148292168a28c609300186a489dab9a1db9381c4786de3915a81095dfa489973af07436a8336f13907ba3f7055663