Overview

overview

10

Static

static

10

d996924de3...e.xlsm

windows7-x64

10

d996924de3...e.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d996924de3cfd2d5a8c0040acd061fc1e41bf3be9823d713989992155a15bb4e.xlsm

  • Size

    46KB

  • MD5

    ece3d76a6a0219a033a6999ada585822

  • SHA1

    6a250838cb1d7564839a50905e35f7353fabbc7c

  • SHA256

    d996924de3cfd2d5a8c0040acd061fc1e41bf3be9823d713989992155a15bb4e

  • SHA512

    44f0ed600f85fcef33bcc4a92834c0432b90c7522c1882af0b88c087055fde30aa75f1e27330f40fbddafe8fb2a9896236d6046a3e795bbace019a77aec2af7a

  • SSDEEP

    768:Pf4oTBvDOevZCwrvtjizdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2Vy0:34olvDetT5fTR4Lh1NisFYBc3cr+UqV3

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://patriciamirapsicologa.com/wp-includes/UfQQtX1LEVwNJPCx/
xlm40.dropper

https://gavalisamajsevasangh.com/abcd-trey/q4hH2T12X/
xlm40.dropper

https://yatrataxi.com/folwu/LC5yH9Ai0l/
xlm40.dropper

https://thelastpeopleonearth-dayz.com/wp-content/V2mmGey/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d996924de3cfd2d5a8c0040acd061fc1e41bf3be9823d713989992155a15bb4e.xlsm
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\enu.ocx
    Filesize

    169KB

    MD5

    6d6296d0aec196f0eee66fb069ebfd92

    SHA1

    00e912dafeac0d990b3a5b13c5c1effab01286bd

    SHA256

    27b522582417323906c3f72f0957427a63b5193489ca4192f87e79d209ef4833

    SHA512

    e133ee2929dce1e7479ba2d80307e20158046ec33e56f73ecaac3c257e4b286172d748770ca7b37a0430592668a375240423c86adb7c9736a4d6464199b09cbd

    Download Submit

  • memory/1840-1-0x00000000722DD000-0x00000000722E8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1840-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1840-21-0x00000000722DD000-0x00000000722E8000-memory.dmp

    Filesize

    44KB

    Download