Overview

overview

10

Static

static

8

2390e1c6e5...ab.zip

windows7-x64

1

2390e1c6e5...ab.zip

windows10-2004-x64

1

a41dfd112f...d7.xls

windows7-x64

10

a41dfd112f...d7.xls

windows10-2004-x64

10

c3d71f860c...34.xls

windows7-x64

10

c3d71f860c...34.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3d71f860c941fb9a4a16f5b1ebf0c34.xls

  • Size

    95KB

  • MD5

    c3d71f860c941fb9a4a16f5b1ebf0c34

  • SHA1

    f00ce3f1fb55634b64a53caa3a4c4388729c05dc

  • SHA256

    200f8456509d6f70d23e575dbd09ed7de6d88ce5ca0c319f3ff98eeb94813277

  • SHA512

    d46b2223cf4a848fdca7773a0a4b7117f4a268c4662abbc4689b39b9279fce6e02a6a6125c0642e0172033b44ddbe923fc07d06fae86853afa25910768b668d8

  • SSDEEP

    1536:PFKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgg5HuS4hcTO97v7UYdEJmeA:tKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgt

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://zonainformatica.es/aspnet_client/n0ULlfoAHHQh9tagckL/
xlm40.dropper

https://napolni.me/3r/ILq7TqCUS/
xlm40.dropper

http://sigratech.de/career/sRpMMHief7H/
xlm40.dropper

http://webbandi.hu/image/Ifm98UCtROXr/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c3d71f860c941fb9a4a16f5b1ebf0c34.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\hhdt1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4380
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\hhdt2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:3152
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\hhdt3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:652
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\hhdt4.ocx
      2⤵
      • Process spawned unexpected child process
      PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    3KB

    MD5

    cebbd22df4430526764a699acc3bdce4

    SHA1

    a707f86274505f3320d32c26e5690ce90ced7b0c

    SHA256

    47295ea4fca7d8ba5b16d1c5565290f34b94988700b8fdf2b0c65739ec29d7d3

    SHA512

    0d59b44047dd43cf2ce4e694a8064202b164604a65af97c0de918b0c5579134749f594976ad17ffb01dde6b70a2eac51252b6105d6d01e85ca481b67d5157464

    Download Submit

  • memory/384-12-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-6-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-2-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-3-0x00007FFBCB90D000-0x00007FFBCB90E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/384-10-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-9-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-8-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-1-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-4-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-11-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-7-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-13-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-15-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-14-0x00007FFB89420000-0x00007FFB89430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-16-0x00007FFB89420000-0x00007FFB89430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-5-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-34-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/384-0-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

    Filesize

    64KB

    Download