ae0be73d4c96dd9b8f0fbd4414ebc2ba29b465c6fef13e6d118a5dfbdd9a13bb

General

Target

ae0be73d4c96dd9b8f0fbd4414ebc2ba29b465c6fef13e6d118a5dfbdd9a13bb.xlsm
Size

46KB
MD5

a0d4bf590f70bf03ba73fb5642cbcae5
SHA1

8d0fce26f5d532e72d096d5f7b64409a543ccf13
SHA256

ae0be73d4c96dd9b8f0fbd4414ebc2ba29b465c6fef13e6d118a5dfbdd9a13bb
SHA512

b63b7bc5e0121f577c835e4cebc698e5a181ee579dfdd1e6ed4ff0c1b678b47941337462eec29460a2b72398c7b1603dfc3816b440b0949c91c7d001c15e16bb
SSDEEP

768:cwLvfWDOevZCwrvtrDPzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfskoM:1WDzftT5fTR4Lh1NisFYBc3cr+UqVfD9

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://congresoapp2021.com/u07di/wkdehSgS/

xlm40.dropper

http://forocavialpa.com/wp-admin/bnFI6WhjZkffrb/

xlm40.dropper

http://s1.techopesolutions.com/semicanal/g7jRfFqphhUQ5oh/

xlm40.dropper

http://tournhatrang.asia/cgi-bin/2gnqrN/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1432	4824	regsvr32.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4824	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4824	EXCEL.EXE
4824	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1432	4824	EXCEL.EXE	86
PID 4824 wrote to memory of 1432	4824	EXCEL.EXE	86
PID 4824 wrote to memory of 1432	4824	EXCEL.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ae0be73d4c96dd9b8f0fbd4414ebc2ba29b465c6fef13e6d118a5dfbdd9a13bb.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
6580ebfbf8ef0d35845da549df6f9b8b

SHA1
12de656ac811646ba8e8c2bf265ea9576eea6717

SHA256
f532def178ed87defd87bdf6e96d5d053b375e5a99b6a505373e6635e760a89e

SHA512
c8dad6022b272f1864f0aa208337d8a9fef7149482edfaeb5a7e2f2de6fa2bea4372dc6ded6cd85c4eeeb067985062477ef400877c9ff1bbfb95385cd22d82dd

Download Submit
C:\Users\Admin\cre.ocx

Filesize
1KB

MD5
cb1b07573e7213a02ae501605abee157

SHA1
97d0f064994c2da54845ef6f15ea9b79546dc9b0

SHA256
1c7aa7a3fac693bffb0d1afad3e5abb3f43ccdf8fe230d5a585cd0b76a35aa47

SHA512
6a3f3a4489d7aa1577ce5da0804e18180fbcd452f5a5bd8e7ef66bfd882be30690dab9af7e3e865989027c6114fade170f08ed68cee8482a292efcfa0f471c73

Download Submit
memory/4824-15-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-37-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-5-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-4-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/4824-8-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/4824-11-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-10-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-12-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-13-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-14-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

Filesize
64KB

Download
memory/4824-9-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-7-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-1-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/4824-21-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-18-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-19-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-17-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-6-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-20-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-22-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-2-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/4824-16-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

Filesize
64KB

Download
memory/4824-38-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

Filesize
4KB

Download
memory/4824-39-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-3-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads