Analysis
-
max time kernel
133s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:25
Behavioral task
behavioral1
Sample
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
Resource
win10v2004-20241007-en
General
-
Target
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm
-
Size
46KB
-
MD5
343ab295238ad90d6f5912d5890f4826
-
SHA1
741fd664ab3210bb8d40c9a50edce395d02a0776
-
SHA256
617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc
-
SHA512
21eee9487b0796e89de25c463841ac6536baa5068a3ab91c76d9501bd37d38d419d213d5a4e122d43a7ce3c1ae574d2236a8733f6a9d6469aeba675a70820460
-
SSDEEP
768:6o9DOevZCwrvtOzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VPPDks:6o9D+tT5fTR4Lh1NisFYBc3cr+UqVnDZ
Malware Config
Extracted
http://dan-bau.com/wp-includes/css/dist/h2plh7xZso/
https://advisereviews.com/wp-content/2NyZZiJ6KEzPPrbx/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 752 4860 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4860 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4860 EXCEL.EXE 4860 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE 4860 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4860 wrote to memory of 752 4860 EXCEL.EXE 91 PID 4860 wrote to memory of 752 4860 EXCEL.EXE 91 PID 4860 wrote to memory of 752 4860 EXCEL.EXE 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\617b83ab9876b8efcc91cc8dcd87dff1a1e98fbe175f845426e7d18e6ef1eabc.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5484b822a8a6c28bfdc6cfd29b722fc17
SHA1f8619ef11297688083ed6c75306970671f5493ed
SHA2567d10497b0edfe0d0c9775a49e58b07a86e2e427e24117ed05461ab9a8e0853ce
SHA51202d57bbb285c48bf3c16db728b27f5b9ab974f3a1a66704b111e8f470b8c65308b8a108fe63df2e629e682dc00e78578cc14af1a1d93d31cbea24b4f77d5fa9b
-
Filesize
199KB
MD5d8c58d85f9ec5b722d64ca42f5d7343e
SHA1923637a47557c566f431f8e3266613384b869f0d
SHA256dbb8f099f17b1c976b7f3a73b7ff943400cea381236a797537152c5eacc88784
SHA512c91452d8f0ab4bb11283dd0d43c7d2b9ae74ae30711286c71891461c0a0effa51896ff1f26499ec5f9da0d627d114af0de7b95dcca3676721f793b44d8226b0d