Overview

overview

10

Static

static

8

a04fb147d8...69.xls

windows7-x64

10

a04fb147d8...69.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a04fb147d885a98405b843401f5b690a025d83e3aaf24bb4cddf8fb9ff245d69.xls

  • Size

    95KB

  • MD5

    00f1524e233399b927f757baa1ed432d

  • SHA1

    ff1a4403e2ca601122d9ff65a4e489910a724b56

  • SHA256

    a04fb147d885a98405b843401f5b690a025d83e3aaf24bb4cddf8fb9ff245d69

  • SHA512

    6fd728d7a9516b188d85e42616ed3363a71b3bbcaf9edb6749670c9e6c0114293fcf2f654df34ab785be4db5ff29ddc07ffa86597a7b996ec0686a4821ce53e0

  • SSDEEP

    1536:iFKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg1HuS4hcTO97v7UYdEJmSC8+:cKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgW

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://francite.net/images/XI7zS0X1nY/
xlm40.dropper

https://cointrade.world/receipts/Sa6fYJpecEVqiRf05/
xlm40.dropper

http://gedebey-tvradio.info/wp-includes/nOmdPyUpDB/
xlm40.dropper

http://haircutbar.com/cgi-bin/SpJT9OKPmUpJfkGqv/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a04fb147d885a98405b843401f5b690a025d83e3aaf24bb4cddf8fb9ff245d69.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4888
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:1632
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:1636
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    2KB

    MD5

    a24da6de1bce06b1bacad0d706ef1676

    SHA1

    09d13166ea4be2ca0d1f9b17630c2ce67e313525

    SHA256

    062c62e759c42077a6bb797b60b8b93d3ddd593f01988c191c8ec14fa7fbb5c7

    SHA512

    9f229f1012fa250411fb16de723415a239b589064c1216be0e1d76c3d9f2ac3b690ed51db65d60329dccbe4af9ae4d346adaff84272f8e55fbb284c504406f90

    Download Submit

  • memory/60-6-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-4-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-1-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-0-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-5-0x00007FFAA73C0000-0x00007FFAA7AFF000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/60-2-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-7-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-8-0x00007FFAA73C0000-0x00007FFAA7AFF000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/60-9-0x00007FFAA73C0000-0x00007FFAA7AFF000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/60-10-0x00007FFAA73C0000-0x00007FFAA7AFF000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/60-12-0x00007FFAA73C0000-0x00007FFAA7AFF000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/60-3-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

    Download