Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 17:28
Behavioral task
behavioral1
Sample
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm
Resource
win10v2004-20241007-en
General
-
Target
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm
-
Size
46KB
-
MD5
a68587b9c22276dd3d99a5626eb5d954
-
SHA1
5c0870bbb8a9057266dbb09d6f0ccf26c2a32c8c
-
SHA256
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44
-
SHA512
0a77c2be50172bb29796e5fb29a0b5f1aa6018a6866a6f1d51a86dedd570a0cce2ca389c21cb04baff45be6b2f4dca4b80c1b2e341566997df5fa73602ec16cf
-
SSDEEP
768:Pf4oTBvDOevZCwrvtjizdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2Vy0:34olvDetT5fTR4Lh1NisFYBc3cr+UqV3
Malware Config
Extracted
https://patriciamirapsicologa.com/wp-includes/UfQQtX1LEVwNJPCx/
https://gavalisamajsevasangh.com/abcd-trey/q4hH2T12X/
https://yatrataxi.com/folwu/LC5yH9Ai0l/
https://thelastpeopleonearth-dayz.com/wp-content/V2mmGey/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2920 2096 regsvr32.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2096 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32 PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32 PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32 PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32 PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32 PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32 PID 2096 wrote to memory of 2920 2096 EXCEL.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD58e16ebf83f110d6619d0693d6b96ada3
SHA11dbb5400b79fe739584bedea1f857bc01bc5ff8b
SHA256cb14615c6c759b3053e8fb74c58fa4c70626c49c3e03a3509cec98cd83a87d65
SHA512f7afad930d54c13b06b6fa10cba3863b7fd4d4b92bc59cfb729c61be5987a21186adb8af02ba882db1f25b1d3597c3eb0d94d7c4138bc7b6ab591ba7eef242ad