Overview

overview

10

Static

static

8

7563569b2c...c0.xls

windows7-x64

10

7563569b2c...c0.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7563569b2c5bfe5126ef2970e72e0f70f1c6afbff771c399f1d66ce22cdd6dc0.xls

  • Size

    67KB

  • MD5

    741131c307b34deb0610f69f7f478500

  • SHA1

    0ef4db6a3b266064dbae5e90bcb7ba764d69afc7

  • SHA256

    7563569b2c5bfe5126ef2970e72e0f70f1c6afbff771c399f1d66ce22cdd6dc0

  • SHA512

    13dfa544dc9410ac8d1c742af3563b08440a7b21ac88f209e258bd641b7c6e4ab7c7b9d4bda7332330cde6b9bf39506dad0868cc6fe69fa53b7794d6c0f8cee8

  • SSDEEP

    1536:nVKpb8rGYrMPe3q7Q0XV5xtezE8vG8UM+u9s1a6YG2jzQ0viPvDNHhGtw:VKpb8rGYrMPe3q7Q0XV5xtezE8vG8UMY

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.melisetotoaksesuar.com/catalog/controller/account/dqfKI/
xlm40.dropper

http://elamurray.com/athletics-carnival-2018/3UTZYr9D9f/
xlm40.dropper

http://masyuk.com/581voyze/MlX/
xlm40.dropper

http://jr-software-web.net/aaabackupsqldb/11hYk3bHJ/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7563569b2c5bfe5126ef2970e72e0f70f1c6afbff771c399f1d66ce22cdd6dc0.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:3668
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4488
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:1816
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
      2⤵
      • Process spawned unexpected child process
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\uxevr1.ocx
    Filesize

    612KB

    MD5

    8745f4ff0d12a66421211ba9667c2302

    SHA1

    204f9d0c63277375491adf6703dcf8341e563ed7

    SHA256

    8d18a0bcb7963d571b6ce72a22dea53bf107aa6f5de3b5ea3eb176eac49f721b

    SHA512

    1bda92e6e477dfa57a00e8b8784c5bd2b1de44df5b4c04ff7ec6e751c8853b16e64ba02e616c545fc85e482e5ec378b0c8dd0d5d14ad2e84101f56958a71f13e

    Download Submit

  • memory/1360-14-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-7-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-5-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-3-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-0-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-8-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-1-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-6-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-9-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-12-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-4-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-13-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-17-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-16-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-19-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-18-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-15-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-11-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-10-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-2-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1360-40-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-41-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-42-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1360-43-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

    Filesize

    2.0MB

    Download