Overview

overview

10

Static

static

8

b0eada3841...9e.xls

windows7-x64

10

b0eada3841...9e.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0eada3841834f2f94f551bad8369de0376d0cf9150bd6c5c0afb1817a56f09e.xls

  • Size

    71KB

  • MD5

    944d2d14dbcaf0a85595b923dba2acf0

  • SHA1

    5dd557fa76c6da957e887d90d00f0c1c273a6225

  • SHA256

    b0eada3841834f2f94f551bad8369de0376d0cf9150bd6c5c0afb1817a56f09e

  • SHA512

    4377cf5b92eec550313c9c44c700bb7c0883a4564929b6b562167eb8613b846bedef042bc75c69be2f7d18a26e9a6f05f47a68880065d1bfc911719de07bce1a

  • SSDEEP

    1536:jhKpb8rGYrMPe3q7Q0XV5xtezE8vG8UM+0+hDcnTLiQrRTZws8El:lKpb8rGYrMPe3q7Q0XV5xtezE8vG8UMX

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://natayakim.com/personal/o0sKIzRjM/
xlm40.dropper

http://meta4media.com/portfolio2/flb3iuglypsbqT/
xlm40.dropper

http://hathaabeach.com/documents/zNsC/

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b0eada3841834f2f94f551bad8369de0376d0cf9150bd6c5c0afb1817a56f09e.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\dxgxe1.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2760
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\dxgxe2.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2584
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\dxgxe3.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\dxgxe1.ocx
    Filesize

    53KB

    MD5

    66579239d0d2b2cc86a0cab8f590a50d

    SHA1

    c7bff8b84a59e4aeb42629be4ae6c60152809dd4

    SHA256

    dc377ec1c8506b02abbe7d331b766a3a39c263cc18a6c3a553c695eb40268af5

    SHA512

    7dd750dd93372e931781e6fd329a34f13817e261a04ec7ce646a0b6e2ccf91015a2627fa613e4d68480907800b8e73e11feb1866782049fa4e55c4ecde0c84ab

    Download Submit

  • memory/2280-1-0x00000000724ED000-0x00000000724F8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2280-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-21-0x00000000724ED000-0x00000000724F8000-memory.dmp

    Filesize

    44KB

    Download