9003966df2a166b405ab0c857a64434e15b4a172634d19d52841637710caebed

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9003966df2a166b405ab0c857a64434e15b4a172634d19d52841637710caebed.xls
Size

248KB
MD5

38b5bc3947056da0390a904c03b1d6ac
SHA1

fec5c52695f9287bf670cdfbfa1eb7a21d6be665
SHA256

9003966df2a166b405ab0c857a64434e15b4a172634d19d52841637710caebed
SHA512

f2259dd52504c81d8c7fb88b96182dba22099d884bcf4398e33174e9e12cec4e510811ae710219d0a1d29b4250537a886990f4d582fda3dbacf7cd599b5bba1f
SSDEEP

6144:EKpbdrHYrMue8q7QPX+5xtFEdi8/dgUThvsiKIjvl5fd1Xh8rsoX/w/0t:UhEXs5fXR8rsNg

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://dalgahavuzu.com/pwkfky/LF0WU/

xlm40.dropper

https://dolphinsupremehavuzrobotu.com/yrrct/QcbxhqCQ/

xlm40.dropper

https://sandiegoinsuranceagents.com/cgi-bin/XK1VSXZddLdN/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2376	2276	regsvr32.exe	27

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2276	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2276	EXCEL.EXE
2276	EXCEL.EXE
2276	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29
PID 2276 wrote to memory of 2376	2276	EXCEL.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9003966df2a166b405ab0c857a64434e15b4a172634d19d52841637710caebed.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xxw1.ocx

Filesize
14KB

MD5
c258b6b3d731349270887670b4d16306

SHA1
55c2c3ff081cdbf049d30d0dabe9e268bdc6b69d

SHA256
ab2f0d002236c933316c7d77857af9d2d2e24bc355c5491bc28e95dd69243857

SHA512
83b7bc47883b721440eaeec9a0b1be7858bdeb7911680f4b037f92bc6ea9545ec55f77ef33c69594e391d19e12f861c4269c138b34ce54f0f7e0776ae73cdc60

Download Submit
memory/2276-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2276-1-0x000000007265D000-0x0000000072668000-memory.dmp

Filesize
44KB

Download
memory/2276-17-0x000000007265D000-0x0000000072668000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads