Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 17:25
Behavioral task
behavioral1
Sample
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
Resource
win10v2004-20241007-en
General
-
Target
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
-
Size
46KB
-
MD5
343ab295238ad90d6f5912d5890f4826
-
SHA1
741fd664ab3210bb8d40c9a50edce395d02a0776
-
SHA256
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc
-
SHA512
21eee9487b0796e89de25c463841ac6536baa5068a3ab91c76d9501bd37d38d419d213d5a4e122d43a7ce3c1ae574d2236a8733f6a9d6469aeba675a70820460
-
SSDEEP
768:6o9DOevZCwrvtOzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VPPDks:6o9D+tT5fTR4Lh1NisFYBc3cr+UqVnDZ
Malware Config
Extracted
http://dan-bau.com/wp-includes/css/dist/h2plh7xZso/
https://advisereviews.com/wp-content/2NyZZiJ6KEzPPrbx/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2820 2064 regsvr32.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2064 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2064 EXCEL.EXE 2064 EXCEL.EXE 2064 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32 PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32 PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32 PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32 PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32 PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32 PID 2064 wrote to memory of 2820 2064 EXCEL.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD5d8c58d85f9ec5b722d64ca42f5d7343e
SHA1923637a47557c566f431f8e3266613384b869f0d
SHA256dbb8f099f17b1c976b7f3a73b7ff943400cea381236a797537152c5eacc88784
SHA512c91452d8f0ab4bb11283dd0d43c7d2b9ae74ae30711286c71891461c0a0effa51896ff1f26499ec5f9da0d627d114af0de7b95dcca3676721f793b44d8226b0d