Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 22:06

General

  • Target

    94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340.xls

  • Size

    36KB

  • MD5

    2a6c974ade619678d91e3b57ba12ecbc

  • SHA1

    bf54cb05e94a86a5dabc5e79a36e4ca4665d33f1

  • SHA256

    94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340

  • SHA512

    5a8d495896cca9621f931a4f36cd752433bdee6c4a5a30314bba9c1ab7b515a84f90e2976b300acf9ad927b57f2952b5488e6a15a7c70f6ff5ece62292db61b6

  • SSDEEP

    768:NPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJeShw1bfnFLk2nZKG:lok3hbdlylKsgqopeJBWhZFGkE+cL2Nf

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://markens.online/wp-data.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\94c4e47f8d07964aa50f0247b42d01681613f11d388c030c6835025e35b23340.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\oPzLk7B.txt,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1744-1-0x00000000727ED000-0x00000000727F8000-memory.dmp

    Filesize

    44KB

  • memory/1744-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1744-2-0x00000000727ED000-0x00000000727F8000-memory.dmp

    Filesize

    44KB