Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 19:59
Behavioral task
behavioral1
Sample
9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366.xlsm
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366.xlsm
Resource
win10v2004-20241007-en
General
-
Target
9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366.xlsm
-
Size
95KB
-
MD5
e3ad7e39368f466482e4072cfddbf213
-
SHA1
a8d5d7335ee7468fa88bfb6de2860f35e087e40f
-
SHA256
9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366
-
SHA512
65669a5c6f14ff46ece1a944b2ea3b8eada6cbe0d9d617ea83bf949108c93b5a2b8ef5fa3b51764a634c06cea9c47285817a6f54e3004f2e05a00844bb6793fc
-
SSDEEP
1536:N+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:N43DsVhonV69o2bchgGaWBcpASF
Malware Config
Extracted
http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/
http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/
https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/
https://lucacerullo.com/wp-admin/sZ7Sw/
http://198.50.143.158/cgi-bin/PsABe8gznY/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 876 3144 regsvr32.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3144 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3144 EXCEL.EXE 3144 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE 3144 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3144 wrote to memory of 876 3144 EXCEL.EXE 88 PID 3144 wrote to memory of 876 3144 EXCEL.EXE 88 PID 3144 wrote to memory of 876 3144 EXCEL.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\wo1.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD580d8889479320cf1cc4705b2dd1f7230
SHA1c7d460033a674270d4fe51e4506b80ad9cc5e50d
SHA256f26ed064aea272dd77530619a1cf987fcb41772ee91e579891215283bbc66c8c
SHA5129eb4db1a7e94f4490e24a2aa4bb44087bf698f0815b567b121a564f515d12bde43475847fec6dc56f3774eb11993a50a261b46a52436fda1120a33be61692d9a
-
Filesize
74KB
MD5903492f463ccf48fd018817dbf20d61a
SHA121cec7743daa8c4059b0d2c7c85da5c984ca9316
SHA256029d77aa3dc2247f58e3fbcccf6d44903972ab84920c1ddecf242c8afe9f589e
SHA512f5fff7e7722a6b7bcc6272f48681c992cfaa2638b7f6c9237acb32e29362419e9accb49f61ffcc2855d4e59f7414dfb386d4ff67949b2fc751bd5931e7520339