Analysis
-
max time kernel
133s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:39
Behavioral task
behavioral1
Sample
f2223b7534d284126d4d65020d68a461d8b6574be12695a9e767f566d67301ef.xlsm
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f2223b7534d284126d4d65020d68a461d8b6574be12695a9e767f566d67301ef.xlsm
Resource
win10v2004-20241007-en
General
-
Target
f2223b7534d284126d4d65020d68a461d8b6574be12695a9e767f566d67301ef.xlsm
-
Size
50KB
-
MD5
611407dcaa57d04ec45453e06fbc4a51
-
SHA1
645766461e57479ca19a1665b47d9755c6934907
-
SHA256
f2223b7534d284126d4d65020d68a461d8b6574be12695a9e767f566d67301ef
-
SHA512
682968c4139b2e084b74674c3e52cac1120df6a95181bbe149ac0f43d8057e804c7eb5c86ae5d5694891cfca6803aa8bb5884bc6fbdaf4ac6bef0f6f2542753c
-
SSDEEP
768:2x9D9onkH+lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA0Zl:2XD9oencDSmSIBlGeuSEcm2h0BZl
Malware Config
Extracted
http://actividades.laforetlanguages.com/wp-admin/WQNAwrWi77MV8a05fia/
http://consejosdeorlando.com/wp-includes/mMaIlj99Y1C1sYN/
http://aopda.org/wp-content/uploads/KXc3Agu18w/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1388 3816 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3816 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3816 EXCEL.EXE 3816 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3816 wrote to memory of 1388 3816 EXCEL.EXE 99 PID 3816 wrote to memory of 1388 3816 EXCEL.EXE 99 PID 3816 wrote to memory of 1388 3816 EXCEL.EXE 99
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f2223b7534d284126d4d65020d68a461d8b6574be12695a9e767f566d67301ef.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe -s ..\en.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:1388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5c8b935ce7a592e2873df31f954e6ff17
SHA15e4b4fd182c29ce349a91a0ac382797cf98bdc88
SHA2569b7448cb0463aa8d4674a267b2715958b53e2e20eae68db647d34b3279a5c37d
SHA512ccdd7edc39d7ee0568523c6a134c9a51a6a2850e9cd1b1971086e0151b7bc35c8749794b89d30d6e4dd205fe36ce8fc020e89c9786a612582ef862c55485e969
-
Filesize
4KB
MD512f2ac216230aef3a4a1d9b80257c7ca
SHA11565baf8307c41d1b48490178077e1456a4ddeae
SHA25658a4d71f88f892b11a2969983a37f184e1cb725dc048338d1638ca8c8af60369
SHA5126d8d4b32f3fde72b7836573b246cf42b5a3c5811c12f95fa58a5fd9e45b74cb5750956d9c1d7685a209211dc4dd78381b5a6402e0ef91746f2e8d11f80d040e4