Overview

overview

10

Static

static

10

8fc638fb4e...1.xlsm

windows7-x64

10

8fc638fb4e...1.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2024, 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fc638fb4ed752cddfef675fe0bfe4d4f8cab13d3c78ef905f4cea1beb49c8e1.xlsm

  • Size

    46KB

  • MD5

    ba0a7ea3d915f993337be075371e4cb5

  • SHA1

    0729ded134149a402fa558ced8579f866d461623

  • SHA256

    8fc638fb4ed752cddfef675fe0bfe4d4f8cab13d3c78ef905f4cea1beb49c8e1

  • SHA512

    cabc32d261ffb5769fc3eca73a076ee0bfdba8da509cd99ca60f287f8ba5662c1ff5a248d2dc57478e7a13dd5fe994f948e741c45ebd292d2199922178489b91

  • SSDEEP

    768:rf4oTBvDOevZCwrvtjizdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2Vy0:D4olvDetT5fTR4Lh1NisFYBc3cr+UqV3

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://patriciamirapsicologa.com/wp-includes/UfQQtX1LEVwNJPCx/
xlm40.dropper

https://gavalisamajsevasangh.com/abcd-trey/q4hH2T12X/
xlm40.dropper

https://yatrataxi.com/folwu/LC5yH9Ai0l/
xlm40.dropper

https://thelastpeopleonearth-dayz.com/wp-content/V2mmGey/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8fc638fb4ed752cddfef675fe0bfe4d4f8cab13d3c78ef905f4cea1beb49c8e1.xlsm
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\enu.ocx
    Filesize

    169KB

    MD5

    9ecee62e1e35ad0d7325facda1537b51

    SHA1

    4b07606a9bc65ce52115eaf30c36aff674175fd7

    SHA256

    61eced72c88fc4291f4b54e49490a653db331b65956663e61c1e009356d4576d

    SHA512

    4c94c9634ff0a83fe637cf26d4f5fc02421d188402d9027355d91ccb660234b6d7103573998249b6a2c82c3920db77da620bab59ccaa2d75bd4427e75e19c1a0

    Download Submit

  • memory/2616-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2616-1-0x00000000723FD000-0x0000000072408000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2616-21-0x00000000723FD000-0x0000000072408000-memory.dmp

    Filesize

    44KB

    Download