103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787

General

Target

103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787.xlsm
Size

95KB
MD5

b8ef30e42daf23205594b91d18714f12
SHA1

f175735d8b57549094a99ceebb4a154e06fdf1d4
SHA256

103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787
SHA512

fa5e670cf4e3c523516a297810da289f6c2882ba3d7cf6ae1433b841603a17777dee02bab5b9c2f6bfe84c05a43cd86cc137d6e4128d7faf2d64c780e460252d
SSDEEP

1536:sQxfGWXG8v5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVFfw:s2318DsVhonV69o2bchgGaWBcpA+fw

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://ashirvadgroup.com/wp-admin/LtoH5AWneDBZIV2D/

xlm40.dropper

https://patriciamirapsicologa.com/wp-includes/fVVa9DXB/

xlm40.dropper

https://forfreeiptv.com/wp-admin/s5Oxoskqv8/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1444	1344	regsvr32.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1344	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1344	EXCEL.EXE
1344	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE
1344	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1444	1344	EXCEL.EXE	92
PID 1344 wrote to memory of 1444	1344	EXCEL.EXE	92
PID 1344 wrote to memory of 1444	1344	EXCEL.EXE	92

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe /s ..\dw1.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
41d5a50a68b8fdb761d98896c09ea96c

SHA1
0720346df2082d43f2c47eae213b6cfe3aac326f

SHA256
0ce3114ea29926bff768fc39ed5825e76cf5cd3c63fe55743998773f7d2f85d9

SHA512
619798be3ba8e16154095bad796eeeadef1502a1344c27d360212cbe918cfdc0e638bf97a72cbd86387f178d514f86bc704651d69371d1de7bebdc0c93ab174a

Download Submit
C:\Users\Admin\dw1.ocx

Filesize
497B

MD5
44e3c3252241233634d734f16d2f52fb

SHA1
2336f85baaa4aa39a93d7d05775bc403aa1c9b3c

SHA256
56237adc22006983a37b8c2964988d3dcf60edd7af2a8739191a529511fd5ba5

SHA512
bf8cbc52a1524568884c5323089c20dcc9bdd2fc448ade59ca4e5c77d8a574ad590155e548da43ba4798e1bbf131ad05b53605666ce2aa571e9239dcf892878a

Download Submit
memory/1344-13-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-11-0x00007FF800760000-0x00007FF800770000-memory.dmp

Filesize
64KB

Download
memory/1344-4-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1344-10-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-9-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-8-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-15-0x00007FF800760000-0x00007FF800770000-memory.dmp

Filesize
64KB

Download
memory/1344-7-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-6-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-5-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1344-3-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1344-1-0x00007FF842A6D000-0x00007FF842A6E000-memory.dmp

Filesize
4KB

Download
memory/1344-20-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-12-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-17-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-16-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-14-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-19-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-18-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-2-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download
memory/1344-44-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-45-0x00007FF842A6D000-0x00007FF842A6E000-memory.dmp

Filesize
4KB

Download
memory/1344-46-0x00007FF8429D0000-0x00007FF842BC5000-memory.dmp

Filesize
2.0MB

Download
memory/1344-0-0x00007FF802A50000-0x00007FF802A60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads