Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:51
Behavioral task
behavioral1
Sample
1922fad1c4728b9a914955c6a554e2a5321f48cc6f7c431a914488105ea2e357.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1922fad1c4728b9a914955c6a554e2a5321f48cc6f7c431a914488105ea2e357.xls
Resource
win10v2004-20241007-en
General
-
Target
1922fad1c4728b9a914955c6a554e2a5321f48cc6f7c431a914488105ea2e357.xls
-
Size
55KB
-
MD5
fdd47f400dd3db180febdc7da6df08c9
-
SHA1
e8929cd44ac98687fa31939d2eb8c50c8502756c
-
SHA256
1922fad1c4728b9a914955c6a554e2a5321f48cc6f7c431a914488105ea2e357
-
SHA512
bbd24dd7c73029502456b95132a813880af131b312010a29b1bf1f69f5b7e2567959db9ed6d9c57874de0557aa500aab8fc2814bd32f56e39fc0ef27d296eb07
-
SSDEEP
1536:ojKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgY5G9XSZAehUXepUNUDpt:+Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgI
Malware Config
Extracted
https://www.clintmorey.com/wp-content/QSzbH8Ikl8E/
https://ciberfallas.com/wp-admin/4sU1dATy/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3532 4740 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4740 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4740 EXCEL.EXE 4740 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE 4740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4740 wrote to memory of 3532 4740 EXCEL.EXE 91 PID 4740 wrote to memory of 3532 4740 EXCEL.EXE 91 PID 4740 wrote to memory of 3532 4740 EXCEL.EXE 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1922fad1c4728b9a914955c6a554e2a5321f48cc6f7c431a914488105ea2e357.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe -s ..\csei.dll2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:3532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5dbb7472adfe7ba1cfcd5eda20bbd8226
SHA1337272431d5a87e0d86d05b97e29ee473b3b307f
SHA2560cc82d2fa72433ef85155be87d4256af1bef0d37a6bcb395d824f3998abc4707
SHA512424d1633524d58f8bbe866ebfe3296ce97e1cecc315386ca1ebd13f79c495865fa20e140dd8ebcd617928dc281c7675df2d01b2ef8a601d5a4377fbb07d7e7da
-
Filesize
2KB
MD58243a2376f1992b552967bd53634137a
SHA122710e1072693cb53f636cbfa42080cd328b4c6e
SHA25635d8022e3685540c13d09b6a39cd34d105570a106aee8ad10e67a4d1ffe62571
SHA512e0c41b141d6623f9f2713f6692b807e2a29ff347cf78efac8c5ee4c250747ed7e1af29363485b53713fbeb1315c37d34a5ac0d7bdcab79a952d5fc48cf267e5b