93bfbba32de98342358e76544bb25c76507319e6a51a27377e43e9de002a85fb

General

Target

93bfbba32de98342358e76544bb25c76507319e6a51a27377e43e9de002a85fb.xls
Size

91KB
MD5

d0e96304f7cd2aac797b35ad4df92fa6
SHA1

6aed63983a6c31cf90e4a1b090f4b9c869aa1f2c
SHA256

93bfbba32de98342358e76544bb25c76507319e6a51a27377e43e9de002a85fb
SHA512

7a233ca08f902bb47ead9c5b43127c0761518ede1b26101cf555e64787f083a22d62fbc00549c4c66303ecdf78c06e0dc9e16725cad57cc8e31b436ec2df27ec
SSDEEP

1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgMbCXuZH4gb4CEn9J4ZSX3O:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgm

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://encuadernacionesartis.com/Vk2Z1Na/IZpyySkbU/

xlm40.dropper

http://eznetb.synology.me/@eaDir/E36Y/

xlm40.dropper

http://bytesendesign.nl/cgi-bin/LolX/

xlm40.dropper

http://choltice.eu/mwc/syl3Y/

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4516	408	regsvr32.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2496	408	regsvr32.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2128	408	regsvr32.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2424	408	regsvr32.exe	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
408	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
408	EXCEL.EXE
408	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE
408	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4516	408	EXCEL.EXE	86
PID 408 wrote to memory of 4516	408	EXCEL.EXE	86
PID 408 wrote to memory of 2496	408	EXCEL.EXE	88
PID 408 wrote to memory of 2496	408	EXCEL.EXE	88
PID 408 wrote to memory of 2128	408	EXCEL.EXE	89
PID 408 wrote to memory of 2128	408	EXCEL.EXE	89
PID 408 wrote to memory of 2424	408	EXCEL.EXE	90
PID 408 wrote to memory of 2424	408	EXCEL.EXE	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\93bfbba32de98342358e76544bb25c76507319e6a51a27377e43e9de002a85fb.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  PID:4516
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  PID:2496
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  PID:2128
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
  2⤵
  - Process spawned unexpected child process
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
cc1101007e3c4a88612adc34c962f0a7

SHA1
7513632ac84f300559e947ed3da8b850cb3d4a39

SHA256
ba5f10f69d8938bd9c8830e32bf3336be1d61af894ae923d00acc238ac84be5a

SHA512
1e70c3375aa3348820bde913e5f72e4aeeaf3bd3f2f80beb7fa3f2af2fa2fb1cc1069fedc03652101de3466b9ee078bdd14f897062ad115cb2ae7ed37d63f935

Download Submit
C:\Users\Admin\elv4.ooocccxxx

Filesize
12B

MD5
bc6e6f16b8a077ef5fbc8d59d0b931b9

SHA1
e02aa1b106d5c7c6a98def2b13005d5b84fd8dc8

SHA256
4ae7c3b6ac0beff671efa8cf57386151c06e58ca53a78d83f36107316cec125f

SHA512
f986313ffca1a20c61fa2cff5cb597f1af10a650aecca497a746e8d11d1b6bf33e9e6a25eb7ba26af2fcfaa70472d8250b908419a188a16e17191fc26f423f52

Download Submit
memory/408-16-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-36-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp

Filesize
4KB

Download
memory/408-2-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/408-7-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-8-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-10-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-11-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

Filesize
64KB

Download
memory/408-13-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-9-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-14-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-1-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp

Filesize
4KB

Download
memory/408-4-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/408-20-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-18-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-17-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

Filesize
64KB

Download
memory/408-19-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-12-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-6-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-5-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/408-3-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/408-35-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-15-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-37-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

Filesize
2.0MB

Download
memory/408-0-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads