Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:31
Behavioral task
behavioral1
Sample
1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000.xlsm
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000.xlsm
Resource
win10v2004-20241007-en
General
-
Target
1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000.xlsm
-
Size
45KB
-
MD5
8574d3556d2265e288213c80de56fc57
-
SHA1
f020d7e9fb20d417673777aa64f496ea7efd050d
-
SHA256
1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000
-
SHA512
ab3400f79f2b05c5c7cdbb137ac9983a96434e2166edd129621b1980a5b0612356e0f5596134b527f7d90794afa3c71d6dc29dc1814fcca35aaefbf017d84e33
-
SSDEEP
768:GqLrVo43DOevZCwrvtZmzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Ud0U2tCo:NrVo43DwtT5fTR4Lh1NisFYBc3cr+U2T
Malware Config
Extracted
http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/
http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/
http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2696 4552 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4552 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4552 EXCEL.EXE 4552 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE 4552 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4552 wrote to memory of 2696 4552 EXCEL.EXE 88 PID 4552 wrote to memory of 2696 4552 EXCEL.EXE 88 PID 4552 wrote to memory of 2696 4552 EXCEL.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize686B
MD51596e69cda1f3822feca56281a99c6f5
SHA106ece1a02a2b963aa00057ff2910057db3be779c
SHA25616bc4542aafd5a6d502470f314790f4d66061a42c7fee1e0c162134e6883b8fa
SHA5122ff9edae8d63e83adcf93d7dafc021775901c4c2d10b8bc91c096bb03aa964759819adfc55e22159b3552aa5a6bc423350691e5307f452b7733c8eceb4cd9e6b
-
Filesize
7KB
MD5b996dfb94ee763ad91a6e1034b455635
SHA1daf76e3be885af694649efe720e146bde68d4e3b
SHA25666e867b341ea1836bf112f4a7232b7c72e9330d2fe3ba3b2adf4ac8ad143d9ee
SHA512d2a48820cdf0d0edf757222047c06e5859f801dcbc26aff8cafae67c72c3a06ab297dfa58ad9ebe677441b581feb3bb53833ffda5882886f75222a1773a41aa5