883f8a61824451a55c375d7ba9834aa3f9abe089aa6c16b45d42aed60c9ae6c5

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

883f8a61824451a55c375d7ba9834aa3f9abe089aa6c16b45d42aed60c9ae6c5.xls
Size

590KB
MD5

8c954e54c8fc867351868f9625b26985
SHA1

67c4309906205c9eaad5223294c8e3d9534b3a6d
SHA256

883f8a61824451a55c375d7ba9834aa3f9abe089aa6c16b45d42aed60c9ae6c5
SHA512

b53431eb04ed7477dc70292abc3471d4b4ff75397c22c6d2dd058a0840ef889ea5cbb06fe102ee099d20c0caf3e79e33b5e17c99d465cc696503318fa9a45016
SSDEEP

6144:+k3hOdsylKlgxopeiBNhZF+E+06g9AI9IRCA5IMZ/776bAXlsfajX5foeNtqEZDM:FWCA5R/75lsfar5AeNtpZD

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1256 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1256 EXCEL.EXE
1256 EXCEL.EXE
1256 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1256	EXCEL.EXE

pid	process
1256	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1256 wrote to memory of 2380	1256	EXCEL.EXE	splwow64.exe
PID 1256 wrote to memory of 2380	1256	EXCEL.EXE	splwow64.exe
PID 1256 wrote to memory of 2380	1256	EXCEL.EXE	splwow64.exe
PID 1256 wrote to memory of 2380	1256	EXCEL.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\883f8a61824451a55c375d7ba9834aa3f9abe089aa6c16b45d42aed60c9ae6c5.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1256-1-0x000000007220D000-0x0000000072218000-memory.dmp

Filesize
44KB

Download
memory/1256-2-0x000000007220D000-0x0000000072218000-memory.dmp

Filesize
44KB

Download