Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 20:33

General

  • Target

    County Payment Report - 2022-11-10_1226.xls

  • Size

    91KB

  • MD5

    7c517fc0f713609f740d375ecfb33108

  • SHA1

    736006fb5cc695be518b49bacc128bad5888e272

  • SHA256

    3959e0f2ce9b4b6976ec5f51d95aa661c26000878daecf0e68803145d9f70b40

  • SHA512

    0bbcf46e0b70e05f28994c1993f0ad7ceecc7c21a52587426adc569b7cb54d40408d85efc6ee2d3de97a3b6f1b71cedd899a5b80c64fe004f8355bfc15af70dc

  • SSDEEP

    1536:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg4bCXuZH4gb4CEn9J4ZjrX:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgs

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.vinyz.com/cache/rqWV/

xlm40.dropper

http://yuanliao.raluking.com/1eq5o7/gHrTM8YilZz0quKt/

xlm40.dropper

https://akarweb.net/cgi-bin/CL13tGXI/

xlm40.dropper

http://www.bdbg.es/css/DDm7o71vWtTs/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\County Payment Report - 2022-11-10_1226.xls"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2836
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2580
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:3012
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2496-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2496-1-0x000000007212D000-0x0000000072138000-memory.dmp

    Filesize

    44KB

  • memory/2496-16-0x000000007212D000-0x0000000072138000-memory.dmp

    Filesize

    44KB