314bbb466cb64b7256469dc2b32577d020cf6c13b518c1d7994d7db49ff757e9

General

Target

314bbb466cb64b7256469dc2b32577d020cf6c13b518c1d7994d7db49ff757e9.xlsm
Size

20KB
MD5

f5d2dc6a47dd9b02ed9efdf9298450c0
SHA1

e96fc2cc23727da84a70ef5d4e0068af4cd5a560
SHA256

314bbb466cb64b7256469dc2b32577d020cf6c13b518c1d7994d7db49ff757e9
SHA512

154f5cd2ddbb01264ca145290e95064ff892090bcb606f5f14434c694fd7d916e2053c7119adffd1d25eae8d17dc07206fea2a32c8b74a9362f3b84a4213678d
SSDEEP

384:15Jm7qVb1GNjyo4CGzPd6ZIwBKb5CzgObff9kC+xbX7Qi9rc5:15J7IN+o4FLNCBn9kC+xbLQf

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://benconry.com/wp-includes/eUXuRrm1G6bRZ/

xlm40.dropper

http://actividades.laforetlanguages.com/wp-admin/PXMxDnqZrr/

xlm40.dropper

http://atbiotique.com/images/ESistuSH6DbQFkxTz/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3120	1516	regsvr32.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1516	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1516	EXCEL.EXE
1516	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3120	1516	EXCEL.EXE	87
PID 1516 wrote to memory of 3120	1516	EXCEL.EXE	87
PID 1516 wrote to memory of 3120	1516	EXCEL.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\314bbb466cb64b7256469dc2b32577d020cf6c13b518c1d7994d7db49ff757e9.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
326fe1d0061728aea8e84c1cc1a74f7f

SHA1
abd5c858559fe92f5ddae4a54370a861eaa3acc7

SHA256
01dc899db7c4d5452952a415994cf235045496d5dad38375f969469eee5bba03

SHA512
b7a27bd98095a3c499f89987c6563f583b14b6bc47ea7ab29a0bebdef8b61fe52821166cc9224d64483da1e7e901de0978290c18506736ab66245fa784ebec1d

Download Submit
C:\Users\Admin\kytk.dll

Filesize
6KB

MD5
c16ce81d99df3f8fcc14dee6884354cf

SHA1
7cbafe67db47973d52415430fcf7da87c0a6e9bf

SHA256
46edae29f49b47f8cd66b3ac609ad698a9a832c83710d2c536d0e63efe292770

SHA512
d8a7be3fff25e30f2c7362980b8018fdbaf87995918988a5ececd34fb2cd07580ce6c3318d8ac339483888796b721e2948b3937b712d11143221d76cd8cf6fc1

Download Submit
memory/1516-12-0x00007FF91C120000-0x00007FF91C130000-memory.dmp

Filesize
64KB

Download
memory/1516-8-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-4-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

Filesize
64KB

Download
memory/1516-5-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

Filesize
64KB

Download
memory/1516-7-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-9-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-10-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-14-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-13-0x00007FF91C120000-0x00007FF91C130000-memory.dmp

Filesize
64KB

Download
memory/1516-6-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-2-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

Filesize
64KB

Download
memory/1516-1-0x00007FF95E80D000-0x00007FF95E80E000-memory.dmp

Filesize
4KB

Download
memory/1516-11-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-17-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-16-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-19-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-18-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-15-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-3-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

Filesize
64KB

Download
memory/1516-34-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-35-0x00007FF95E80D000-0x00007FF95E80E000-memory.dmp

Filesize
4KB

Download
memory/1516-36-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

Filesize
2.0MB

Download
memory/1516-0-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads