Analysis
-
max time kernel
19s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 22:06
Behavioral task
behavioral1
Sample
94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340.xls
Resource
win10v2004-20240802-en
General
-
Target
94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340.xls
-
Size
36KB
-
MD5
2a6c974ade619678d91e3b57ba12ecbc
-
SHA1
bf54cb05e94a86a5dabc5e79a36e4ca4665d33f1
-
SHA256
94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340
-
SHA512
5a8d495896cca9621f931a4f36cd752433bdee6c4a5a30314bba9c1ab7b515a84f90e2976b300acf9ad927b57f2952b5488e6a15a7c70f6ff5ece62292db61b6
-
SSDEEP
768:NPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJeShw1bfnFLk2nZKG:lok3hbdlylKsgqopeJBWhZFGkE+cL2Nf
Malware Config
Extracted
https://markens.online/wp-data.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2760 1744 rundll32.exe EXCEL.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXErundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1744 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 1744 EXCEL.EXE 1744 EXCEL.EXE 1744 EXCEL.EXE 1744 EXCEL.EXE 1744 EXCEL.EXE 1744 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 2760 1744 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\oPzLk7B.txt,DllRegisterServer2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2760