dd4e2efe06c8ba854357ecaad3dddbd69d5759bb47c7195151bb316d7e9663fb

General

Target

dd4e2efe06c8ba854357ecaad3dddbd69d5759bb47c7195151bb316d7e9663fb.xlsm
Size

33KB
MD5

19721b79be73cadb460017d966980f4b
SHA1

fe3863292ca63fdc2fbb59465c498b4433ab4f73
SHA256

dd4e2efe06c8ba854357ecaad3dddbd69d5759bb47c7195151bb316d7e9663fb
SHA512

2b37d2d77693a8030a89856113fe3dc41da93f9d547b3d575e398c5e97556dee3f90c324d3c05d14cd7debc509bab7e66602e8ae3286e8d3c6f181a8df6bf0ca
SSDEEP

768:4jFhNKbeXizXT2LxdFfPdkqstJ1goE6vS:4BTGeXgXUndkqegoE6vS

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://www.alejandrovillar.com/MSL/eKDWjpa4OHRxpysOTFe/

xlm40.dropper

https://alejandrastamateas.com/web/ZxA3zHwsH3r/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4480	4188	regsvr32.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4188	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4188	EXCEL.EXE
4188	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4480	4188	EXCEL.EXE	95
PID 4188 wrote to memory of 4480	4188	EXCEL.EXE	95
PID 4188 wrote to memory of 4480	4188	EXCEL.EXE	95

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dd4e2efe06c8ba854357ecaad3dddbd69d5759bb47c7195151bb316d7e9663fb.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
94527a35e187f647bbb619530ca5e3e8

SHA1
87686b529169d41f75f0c802c43562c1f2fc9458

SHA256
08eca09ed9cf5ac530783b3e3788ab3ba92d20e42e385a4d6d61fc2bb71f7b20

SHA512
1171a5421f1e452a74db96f1c0cfbf5ec0700f41b59d583337fbfef9ceaa798d8ad31a902b4362c8901bf1e0c5832961427565238d2a53f257d57b89cbcdacb9

Download Submit
C:\Users\Admin\rfs.dll

Filesize
202KB

MD5
539f9cf69b3477bbade872f9cb2c20da

SHA1
7739ad0149b311693d4d4e70020ad9f15dbf9c31

SHA256
14c16bddc40f6d3afa927344d84c04117832fe52d562dc4c9e153abfe6410f01

SHA512
4b80165fe14089298a826cd034a86039291a798f82984e8bd6966761937ea3595834ed4813140d9b8d8d36bce8be726e1bf14edae0c868738dcd79dde07bd8dd

Download Submit
memory/4188-10-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-9-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-4-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-5-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

Filesize
64KB

Download
memory/4188-8-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-7-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

Filesize
64KB

Download
memory/4188-0-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

Filesize
64KB

Download
memory/4188-1-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

Filesize
64KB

Download
memory/4188-6-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-13-0x00007FFF076C0000-0x00007FFF076D0000-memory.dmp

Filesize
64KB

Download
memory/4188-12-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-11-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-14-0x00007FFF076C0000-0x00007FFF076D0000-memory.dmp

Filesize
64KB

Download
memory/4188-3-0x00007FFF498CD000-0x00007FFF498CE000-memory.dmp

Filesize
4KB

Download
memory/4188-40-0x00007FFF49830000-0x00007FFF49A25000-memory.dmp

Filesize
2.0MB

Download
memory/4188-2-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads