Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 22:14

General

  • Target

    b548389c0a77f5e77b0fe07725d79732e9c76162349b1f4dc506bdf29f96e511.xlsm

  • Size

    32KB

  • MD5

    d30f2b217f3ae3e8ac19c81129e7de3b

  • SHA1

    a7b076a6b84be14691e3071a219c7cbfce94adb0

  • SHA256

    b548389c0a77f5e77b0fe07725d79732e9c76162349b1f4dc506bdf29f96e511

  • SHA512

    8aaa87457c7c8b1c0087eb5abccd981238c386a34f76791b4e2908fa13b825a801c4ba6b87000a38912c50ef8d3b74ef0d341a673006f37b0764a3e39ecee4fb

  • SSDEEP

    384:wjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:wjpFhNNlizXT28dFfPdkqstJmE6/

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casache.com/web/n3jxwXXwa/

xlm40.dropper

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

xlm40.dropper

http://ccalaire.com/wp-admin/d1pGRa0X/

xlm40.dropper

http://cdimprintpr.com/brochure2/A9NmYDndZ/

xlm40.dropper

http://careerplan.host20.uk/images/Ls/

xlm40.dropper

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b548389c0a77f5e77b0fe07725d79732e9c76162349b1f4dc506bdf29f96e511.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll
      2⤵
      • Process spawned unexpected child process
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    93b38e1a10c68abd9e3bea86676dd3a5

    SHA1

    f7b1a6950f5db2e6fce8235ca7187b5952526b42

    SHA256

    03373855c632aa8f34a4e0ba0dcd252e080d438715fdc9a46bf6fa11279771a7

    SHA512

    2445956ed961d30e36291599317e1ccbf5dda69e15c39d68c10ea1fddaf5b7fd374d76490baaf47f999d6b4d22a2fb34c07509570863c6c752dd675aaddfdbc8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    931e32f07aa9bb5cb37e95b6a3717f75

    SHA1

    d106887096da4c1f8b1fdb13a1e399881fa8f0b6

    SHA256

    a2e77bd06986f6c52082ed224e8699916545112ce7eebf376bb2c3b06fd0b51a

    SHA512

    b24482ecee649d3e866909d11f048592b8f2abeea3719d227befe0239cba2d548a818eba37384b2061ffd70efd5356890c08eb99b710a01c4b622b969d7ac8a8

  • C:\Users\Admin\AppData\Local\Temp\Cab97EF.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar9811.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\rfs.dll

    Filesize

    158KB

    MD5

    9928ddf89badc66b1ab8ae8fcbd86691

    SHA1

    02c8e7933524f390fb0f1ba9b1a2201114ba1d71

    SHA256

    b37143a6c2132fd29f3910df27b2a8d34b659b32aecee3cdfaac4a66c7633ffc

    SHA512

    58bc468a0f7a33a6210f5ce0f06321d43b36803affc7d1c756e26c6ac89c6fcf0995aec1a529d3583212e4983bbfa289a916f92186c9d8d011019239b8b3ae80

  • memory/2240-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2240-1-0x0000000072B8D000-0x0000000072B98000-memory.dmp

    Filesize

    44KB

  • memory/2240-96-0x0000000072B8D000-0x0000000072B98000-memory.dmp

    Filesize

    44KB