711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2

General

Target

711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2.xlsm
Size

40KB
MD5

312c22259bf06870d8f007531b26e4a9
SHA1

ac1aad176222a3aa9e7d12202017b7645284c1f6
SHA256

711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2
SHA512

0e52e9b090b3bdbdadcb60770b10df17bcfa14a92e39a1e05ffb303a89b1b22e929346d49e82d3f7438450f06c7a2dccbd030307b46bed71ad77705c8957af1c
SSDEEP

768:a/omdH+DOevZCwttqyKfcrND59V+L9Rw4eWrXcTqZ0VP2HLp:2omdH+DoylND59V4jwmXc2CVCF

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://vipteck.com/wp-content/M/

xlm40.dropper

https://shofarshoshanna.com/t0ssm/roE/

xlm40.dropper

https://santacruzam.com/wp-admin/FeDgNEP/

xlm40.dropper

https://thearkrealmproject.com/wp-admin/wxB4Wp3KyEMCsZva/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1784	5104	regsvr32.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5104	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5104	EXCEL.EXE
5104	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1784	5104	EXCEL.EXE	87
PID 5104 wrote to memory of 1784	5104	EXCEL.EXE	87
PID 5104 wrote to memory of 1784	5104	EXCEL.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\711f2c713ba3ac967f4beb145b5101963aaf300bb79e2e60052072828e865df2.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
4KB

MD5
35b8804d9a0f1bb400fb0ca29e76704a

SHA1
1b59926209c3caeea21cbb3ede85afd4dd9f11e4

SHA256
22f5ac46d5d98b34a8904cf412b09a540f25ec64752ee6a50cd5731ff3ddbe6f

SHA512
fac9cd8d76db5c7c506c7187f8bdf7ceac5fb96d0463be52a2a34205e7dcce607957801094a4b4764a9dd902dd0f378aa3fa841aa699cf2af326402ba7c9719d

Download Submit
C:\Users\Admin\aew.ocx

Filesize
112KB

MD5
a791e6f4467e01881d73d419197cbe39

SHA1
bba2dbc4c26f5e698c3c118600719c190fbeebf2

SHA256
1a6babce9a2061f42692c4d4fdc5c04d05fa0ec717cd0a7be55f76342b0a2698

SHA512
d4159c2a6609c58c3cb214cf4ec6729461a82a9cb27eea3ba471d5903481f9622a628b626bece37c24a1e9d59d1c8119f600de6df6f64e373a2864954d12198b

Download Submit
memory/5104-6-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-3-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5104-2-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5104-1-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp

Filesize
4KB

Download
memory/5104-9-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-10-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-8-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-11-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-12-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

Filesize
64KB

Download
memory/5104-16-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-0-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5104-5-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5104-7-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-17-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-15-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-14-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-18-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-4-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5104-48-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-49-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp

Filesize
4KB

Download
memory/5104-50-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-54-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/5104-13-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads