Overview

overview

10

Static

static

8

c993916bdf...06.xls

windows7-x64

10

c993916bdf...06.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c993916bdf6c9185eddd5af5c1560ddddd8f30e988f6068acc9d0e412c7f9406.xls

  • Size

    95KB

  • MD5

    e6dcacf406448d613c9aee37d89b8682

  • SHA1

    ab60afdb3021230dde3467098cda72a2b761e44a

  • SHA256

    c993916bdf6c9185eddd5af5c1560ddddd8f30e988f6068acc9d0e412c7f9406

  • SHA512

    cadcfe630ef1af437b7d6162b50d165530af482ecc293b9d3a3f000e003abaf415bd4fb3d10d52cd5e83faa04c7f404a551076ebc60d5b5799bff6a52b5857db

  • SSDEEP

    1536:iFKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg1HuS4hcTO97v7UYdEJmSCs+:cKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgm

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://francite.net/images/XI7zS0X1nY/
xlm40.dropper

https://cointrade.world/receipts/Sa6fYJpecEVqiRf05/
xlm40.dropper

http://gedebey-tvradio.info/wp-includes/nOmdPyUpDB/
xlm40.dropper

http://haircutbar.com/cgi-bin/SpJT9OKPmUpJfkGqv/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c993916bdf6c9185eddd5af5c1560ddddd8f30e988f6068acc9d0e412c7f9406.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4484
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:3012
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:2276
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
      2⤵
      • Process spawned unexpected child process
      PID:3672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    1KB

    MD5

    816545f3f6704006dafbba201129a2b8

    SHA1

    e2be339447f20057bfc5a37471fb40cd1458e893

    SHA256

    0d77d69f91c465bb4831d2d40d629b1ff67c08d259ae333f30abae048f3253ca

    SHA512

    8f0b2a564284dd01a11d4a26c80d5f3c9efc887dd28b6eef493bd326160cb4d14131e292f7e5b2b1f368838958d7068eff87ece6f362c9f211ce59f96b9043e5

    Download Submit

  • memory/2844-11-0x00007FF9FCEE0000-0x00007FF9FCEF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-27-0x00007FFA3F58D000-0x00007FFA3F58E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-4-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-2-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-5-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-9-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-10-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-6-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-1-0x00007FFA3F58D000-0x00007FFA3F58E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-3-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-8-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-13-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-14-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-16-0x00007FF9FCEE0000-0x00007FF9FCEF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-15-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-12-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-26-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-0-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2844-28-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2844-7-0x00007FFA3F4F0000-0x00007FFA3F6E5000-memory.dmp

    Filesize

    2.0MB

    Download