Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:24
Behavioral task
behavioral1
Sample
eabdc8ccfd75d25f72f0dca2501c15eaafdfc621b4b9f1a1a55c400195d2f4c1.xls
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
eabdc8ccfd75d25f72f0dca2501c15eaafdfc621b4b9f1a1a55c400195d2f4c1.xls
Resource
win10v2004-20241007-en
General
-
Target
eabdc8ccfd75d25f72f0dca2501c15eaafdfc621b4b9f1a1a55c400195d2f4c1.xls
-
Size
77KB
-
MD5
b8ac0581f11b586395c45799e1d79a69
-
SHA1
589f0c91408f5f93d521d71dafbbb8d615942255
-
SHA256
eabdc8ccfd75d25f72f0dca2501c15eaafdfc621b4b9f1a1a55c400195d2f4c1
-
SHA512
a3d4b042604de02d268c1c05ed2dc12014a6a83eacfb9e3c352c6a6afcdea40944ee5123b02bad32cb67535c262f5ca826d87c7144a9e62b786dd074db161b25
-
SSDEEP
1536:ASKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgew+hD8nTLqQrRrZws8Eau:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg5
Malware Config
Extracted
http://natdemo.natrixsoftware.com/wp-admin/QyqiN/
http://luisangeja.com/COPYRIGHT/BJljffG6/
http://nerz.net/stats/KVIyooM/
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1440 412 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1392 412 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3568 412 regsvr32.exe 82 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 412 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 412 EXCEL.EXE 412 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE 412 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 412 wrote to memory of 1440 412 EXCEL.EXE 87 PID 412 wrote to memory of 1440 412 EXCEL.EXE 87 PID 412 wrote to memory of 1392 412 EXCEL.EXE 88 PID 412 wrote to memory of 1392 412 EXCEL.EXE 88 PID 412 wrote to memory of 3568 412 EXCEL.EXE 89 PID 412 wrote to memory of 3568 412 EXCEL.EXE 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\eabdc8ccfd75d25f72f0dca2501c15eaafdfc621b4b9f1a1a55c400195d2f4c1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 C:\Uduw\soam1.OCX2⤵
- Process spawned unexpected child process
PID:1440
-
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 C:\Uduw\soam2.OCX2⤵
- Process spawned unexpected child process
PID:1392
-
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 C:\Uduw\soam3.OCX2⤵
- Process spawned unexpected child process
PID:3568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD526811006694b6841c199841b1faf89b5
SHA1d8313412a099bbdf4b70404a999b740f78fdae52
SHA256af717c2014b9cbac2e31d7595c1604bb6f6a59291e8aa99896654dc85b83eb48
SHA512ae428282567a09a4d646d2b60c287d01779df1dde7832c8372be6e5d04497ab5dd0e2f4f4d30288bb86a0a8e5b322f3247921b46af9e207452d8acb8b40e8d3f