Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 17:34

General

  • Target

    2b6a7f6001fcd7f82e550a6f1578c2986774a79c204631dae2b90f784e76470e.xls

  • Size

    53KB

  • MD5

    4986eb9a2c14be2320c661ff92a3568d

  • SHA1

    4947172d9298bd6d1157bae521d1b4f7fa083319

  • SHA256

    2b6a7f6001fcd7f82e550a6f1578c2986774a79c204631dae2b90f784e76470e

  • SHA512

    9d307450ae89b53400cd23e7479d93d9bcc54bf2905e9d7a291a0631a766fad7811a3c44b4e2ec89618e83c34b3cf1dbb2ed50090422cea682d5a5ae4b68c8d1

  • SSDEEP

    1536:LPKpb8rGYrMPe3q7Q0XV5xtezE8vG8UM+bSgNeEYL8ECyH:rKpb8rGYrMPe3q7Q0XV5xtezE8vG8UMt

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://newkano.com/wp-admin/66rIsrVwoPKUsjcAs/

xlm40.dropper

http://ocalogullari.com/inc/Wcm82enrs8/

xlm40.dropper

https://myphamcuatui.com/assets/OPVeVSpO/

xlm40.dropper

http://sieuthiphutungxenang.com/old_source/9boJQZpTSdQE/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2b6a7f6001fcd7f82e550a6f1578c2986774a79c204631dae2b90f784e76470e.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\cusoa1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:728
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\cusoa2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:932
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\cusoa3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:2008
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\cusoa4.ocx
      2⤵
      • Process spawned unexpected child process
      PID:3216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

    Filesize

    1KB

    MD5

    98801816ff19e095e3868e9f862530be

    SHA1

    94974ab368bf4e7ffd38be015c10846a8baa4320

    SHA256

    15108434f317680078eb2f3d29cd4af69c3e2499177377decb9dc0c05f3f870e

    SHA512

    172ee54913ecfaa4ff2d19840b53ddaf6d5768264fcd25971febe58a65ce86b07ada989804ddc00cffa77dad0ceacd37c5e90406aae539fdc84d06ad205046a7

  • memory/3272-9-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-40-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-3-0x00007FFBEB410000-0x00007FFBEB420000-memory.dmp

    Filesize

    64KB

  • memory/3272-4-0x00007FFBEB410000-0x00007FFBEB420000-memory.dmp

    Filesize

    64KB

  • memory/3272-5-0x00007FFBEB410000-0x00007FFBEB420000-memory.dmp

    Filesize

    64KB

  • memory/3272-7-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-6-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-11-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-12-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-10-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-1-0x00007FFC2B42D000-0x00007FFC2B42E000-memory.dmp

    Filesize

    4KB

  • memory/3272-2-0x00007FFBEB410000-0x00007FFBEB420000-memory.dmp

    Filesize

    64KB

  • memory/3272-17-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-8-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-14-0x00007FFBE8B70000-0x00007FFBE8B80000-memory.dmp

    Filesize

    64KB

  • memory/3272-16-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-15-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-19-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-18-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-35-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-39-0x00007FFC2B42D000-0x00007FFC2B42E000-memory.dmp

    Filesize

    4KB

  • memory/3272-0-0x00007FFBEB410000-0x00007FFBEB420000-memory.dmp

    Filesize

    64KB

  • memory/3272-44-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

    Filesize

    2.0MB

  • memory/3272-13-0x00007FFBE8B70000-0x00007FFBE8B80000-memory.dmp

    Filesize

    64KB