6b657135ea78afcb7702a6389e3523797f44e292a4b38bf35a56247edb1ebe98

Analysis

max time kernel
139s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b657135ea78afcb7702a6389e3523797f44e292a4b38bf35a56247edb1ebe98.xlsm
Size

46KB
MD5

c1d42d8cfd952adbd79e9bbcb9725f4d
SHA1

ab539ad295e81375a9e1cf6283948bf020e36372
SHA256

6b657135ea78afcb7702a6389e3523797f44e292a4b38bf35a56247edb1ebe98
SHA512

c31583ed65176ce3f00c70c07aca3e4e6b1922b6ec58cc747849de511f4123cead6f8cadee5b7485cb3e8b37f54ff06d41d248726df34c1f8f8cba355b364265
SSDEEP

768:QwLvfWDOevZCwrvtrDPzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfskoM:hWDzftT5fTR4Lh1NisFYBc3cr+UqVfD9

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://congresoapp2021.com/u07di/wkdehSgS/

xlm40.dropper

http://forocavialpa.com/wp-admin/bnFI6WhjZkffrb/

xlm40.dropper

http://s1.techopesolutions.com/semicanal/g7jRfFqphhUQ5oh/

xlm40.dropper

http://tournhatrang.asia/cgi-bin/2gnqrN/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2680	2348	regsvr32.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2348	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2348	EXCEL.EXE
2348	EXCEL.EXE
2348	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32
PID 2348 wrote to memory of 2680	2348	EXCEL.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6b657135ea78afcb7702a6389e3523797f44e292a4b38bf35a56247edb1ebe98.xlsm
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cre.ocx

Filesize
1KB

MD5
b064602509bf22973a2bbfc67f7cc500

SHA1
022438754e832527883ed1590e8bb6a6abbc40a6

SHA256
d26baf6b8e269f850d2e611e16b856c9d12b20a60005c2b05e5b9bba4df8f70a

SHA512
9cbce0763049cef99fb193adf0dd400c8153870927a8557ff2948ed51a1a6add16e8dd5a508dc8873c5117c4d5fe74bd9529f75b1c4dae8f529aa0f3a9106b31

Download Submit
memory/2348-1-0x000000007293D000-0x0000000072948000-memory.dmp

Filesize
44KB

Download
memory/2348-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2348-8-0x000000007293D000-0x0000000072948000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads