db7a4dcd91eb9f5d98009150a4004be2ed04420fce790c7c5b9af2efe2a38dbf

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db7a4dcd91eb9f5d98009150a4004be2ed04420fce790c7c5b9af2efe2a38dbf.xlsm
Size

46KB
MD5

e5e0399080a75240ea276059adedbdf3
SHA1

255af01fa333a994f68ca07e838968104c2a744e
SHA256

db7a4dcd91eb9f5d98009150a4004be2ed04420fce790c7c5b9af2efe2a38dbf
SHA512

9650a5fe6b297199b378162b0b373676a1d87ff3df1c72fc045fc620f61818dd606af5dbe72b502886bc971a4a973fca5ec6ecf9886e8f075ab569a507f9d8d4
SSDEEP

768:AwLvfWDOevZCwrvtrDPzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfskoM:xWDzftT5fTR4Lh1NisFYBc3cr+UqVfD9

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://congresoapp2021.com/u07di/wkdehSgS/

xlm40.dropper

http://forocavialpa.com/wp-admin/bnFI6WhjZkffrb/

xlm40.dropper

http://s1.techopesolutions.com/semicanal/g7jRfFqphhUQ5oh/

xlm40.dropper

http://tournhatrang.asia/cgi-bin/2gnqrN/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2892	2432	regsvr32.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2432	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2432	EXCEL.EXE
2432	EXCEL.EXE
2432	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31
PID 2432 wrote to memory of 2892	2432	EXCEL.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\db7a4dcd91eb9f5d98009150a4004be2ed04420fce790c7c5b9af2efe2a38dbf.xlsm
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cre.ocx

Filesize
1KB

MD5
e8401c437dc4970b768cc3fd9890f2ba

SHA1
e2515fe96f9a9f5616f2a048203cc6ba18bcbbd7

SHA256
921dd77c8a0a905d752d39cfc6eb14a21a6442c237631e7dca21eb2bedc2cd26

SHA512
a1f2d362e75d7e43157c59ba9c46771c3adb5afc9e8fba7c87593e0f2fe5ccc4b82142629ce3bc9b15ba7b73b0672e8e81fb1495a3150aaf4f3206ddc7654840

Download Submit
memory/2432-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2432-1-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/2432-8-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads