Analysis
-
max time kernel
133s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 21:37
Behavioral task
behavioral1
Sample
711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2.xlsm
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2.xlsm
Resource
win10v2004-20241007-en
General
-
Target
711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2.xlsm
-
Size
40KB
-
MD5
312c22259bf06870d8f007531b26e4a9
-
SHA1
ac1aad176222a3aa9e7d12202017b7645284c1f6
-
SHA256
711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2
-
SHA512
0e52e9b090b3bdbdadcb60770b10df17bcfa14a92e39a1e05ffb303a89b1b22e929346d49e82d3f7438450f06c7a2dccbd030307b46bed71ad77705c8957af1c
-
SSDEEP
768:a/omdH+DOevZCwttqyKfcrND59V+L9Rw4eWrXcTqZ0VP2HLp:2omdH+DoylND59V4jwmXc2CVCF
Malware Config
Extracted
http://vipteck.com/wp-content/M/
https://shofarshoshanna.com/t0ssm/roE/
https://santacruzam.com/wp-admin/FeDgNEP/
https://thearkrealmproject.com/wp-admin/wxB4Wp3KyEMCsZva/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1784 5104 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5104 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5104 EXCEL.EXE 5104 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE 5104 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5104 wrote to memory of 1784 5104 EXCEL.EXE 87 PID 5104 wrote to memory of 1784 5104 EXCEL.EXE 87 PID 5104 wrote to memory of 1784 5104 EXCEL.EXE 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:1784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize4KB
MD535b8804d9a0f1bb400fb0ca29e76704a
SHA11b59926209c3caeea21cbb3ede85afd4dd9f11e4
SHA25622f5ac46d5d98b34a8904cf412b09a540f25ec64752ee6a50cd5731ff3ddbe6f
SHA512fac9cd8d76db5c7c506c7187f8bdf7ceac5fb96d0463be52a2a34205e7dcce607957801094a4b4764a9dd902dd0f378aa3fa841aa699cf2af326402ba7c9719d
-
Filesize
112KB
MD5a791e6f4467e01881d73d419197cbe39
SHA1bba2dbc4c26f5e698c3c118600719c190fbeebf2
SHA2561a6babce9a2061f42692c4d4fdc5c04d05fa0ec717cd0a7be55f76342b0a2698
SHA512d4159c2a6609c58c3cb214cf4ec6729461a82a9cb27eea3ba471d5903481f9622a628b626bece37c24a1e9d59d1c8119f600de6df6f64e373a2864954d12198b