Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 17:25

General

  • Target

    617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm

  • Size

    46KB

  • MD5

    343ab295238ad90d6f5912d5890f4826

  • SHA1

    741fd664ab3210bb8d40c9a50edce395d02a0776

  • SHA256

    617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc

  • SHA512

    21eee9487b0796e89de25c463841ac6536baa5068a3ab91c76d9501bd37d38d419d213d5a4e122d43a7ce3c1ae574d2236a8733f6a9d6469aeba675a70820460

  • SSDEEP

    768:6o9DOevZCwrvtOzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VPPDks:6o9D+tT5fTR4Lh1NisFYBc3cr+UqVnDZ

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://dan-bau.com/wp-includes/css/dist/h2plh7xZso/

xlm40.dropper

https://advisereviews.com/wp-content/2NyZZiJ6KEzPPrbx/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\aew.ocx

    Filesize

    199KB

    MD5

    d8c58d85f9ec5b722d64ca42f5d7343e

    SHA1

    923637a47557c566f431f8e3266613384b869f0d

    SHA256

    dbb8f099f17b1c976b7f3a73b7ff943400cea381236a797537152c5eacc88784

    SHA512

    c91452d8f0ab4bb11283dd0d43c7d2b9ae74ae30711286c71891461c0a0effa51896ff1f26499ec5f9da0d627d114af0de7b95dcca3676721f793b44d8226b0d

  • memory/2064-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2064-1-0x000000007209D000-0x00000000720A8000-memory.dmp

    Filesize

    44KB

  • memory/2064-17-0x000000007209D000-0x00000000720A8000-memory.dmp

    Filesize

    44KB