Analysis
-
max time kernel
133s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:28
Behavioral task
behavioral1
Sample
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm
Resource
win10v2004-20241007-en
General
-
Target
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm
-
Size
46KB
-
MD5
a68587b9c22276dd3d99a5626eb5d954
-
SHA1
5c0870bbb8a9057266dbb09d6f0ccf26c2a32c8c
-
SHA256
746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44
-
SHA512
0a77c2be50172bb29796e5fb29a0b5f1aa6018a6866a6f1d51a86dedd570a0cce2ca389c21cb04baff45be6b2f4dca4b80c1b2e341566997df5fa73602ec16cf
-
SSDEEP
768:Pf4oTBvDOevZCwrvtjizdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2Vy0:34olvDetT5fTR4Lh1NisFYBc3cr+UqV3
Malware Config
Extracted
https://patriciamirapsicologa.com/wp-includes/UfQQtX1LEVwNJPCx/
https://gavalisamajsevasangh.com/abcd-trey/q4hH2T12X/
https://yatrataxi.com/folwu/LC5yH9Ai0l/
https://thelastpeopleonearth-dayz.com/wp-content/V2mmGey/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 760 2920 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2920 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2920 EXCEL.EXE 2920 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2920 wrote to memory of 760 2920 EXCEL.EXE 95 PID 2920 wrote to memory of 760 2920 EXCEL.EXE 95 PID 2920 wrote to memory of 760 2920 EXCEL.EXE 95
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\746b5c1f8da356f013f8edc112ecbbfa75a3aa0e79b393d6e4b0ac2b49a28d44.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5f5385af4782a47cd95666b19e423f647
SHA19927241ae7a98cd7c845e4c6343c111f378d6bdb
SHA256ff0f4415493ce7d91bf348ea7335bdd6924ae2ac10f26659cb00801910209b70
SHA5125f4c98864ef2ebaeeb2087c392a54fcbcc5e949746675b2deea654b104af8894370a6860a1da943a4587ac8d61579fb24b2fd32ad6a6e6d68149b1bf7cd90d9a