865a77019eb39474518493a2d0f8499d33cbbdcac68a958f29d0f46b6e041eb4

General

Target

865a77019eb39474518493a2d0f8499d33cbbdcac68a958f29d0f46b6e041eb4.xlsm
Size

40KB
MD5

2be5f58cc856cdd101e6c5fa24543a1d
SHA1

762a17da15560c510715f5a956fe8118402e927d
SHA256

865a77019eb39474518493a2d0f8499d33cbbdcac68a958f29d0f46b6e041eb4
SHA512

03da13aa228cc98596cbf5bb50824adc405de503e9b9d2bb80f7baa60c78d961037176fd4838041bd98dc04bf951410f62bbabe0c461e72dcfc06f83a7f339ed
SSDEEP

768:itby3nCsqi1O3mnOzyKfcrND59V+L9Rw4eWrXcTqy0y3:abunC5iymqylND59V4jwmXc2Xy3

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://foroviviendaparaguay.com/wp-admin/hx8U6XMffnkv8HI2Oig/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	512	2932	regsvr32.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2932	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2932	EXCEL.EXE
2932	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 512	2932	EXCEL.EXE	87
PID 2932 wrote to memory of 512	2932	EXCEL.EXE	87
PID 2932 wrote to memory of 512	2932	EXCEL.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865a77019eb39474518493a2d0f8499d33cbbdcac68a958f29d0f46b6e041eb4.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\xda.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NBKV6P75HVZDOCO87PR4.temp

Filesize
1KB

MD5
a7d3f8ae5905859b5804b135016fbd85

SHA1
e0bce880f6c25bfae256127f2bce750339d54ee9

SHA256
7c6ac11d13e09d8f813fc1a4ffa46a0fa96f610c37d8fed6e7c96e80e1c8e79c

SHA512
38ecc8fb7c36dbd76f7c19276c974de77356ca78539229aacd706845e53e79c05ca27b52557232b10d955f02d5da6a3bd1b98e886313a2728ee1403b38357fa0

Download Submit
C:\Users\Admin\xda.ocx

Filesize
1KB

MD5
f5cbd45470e627a21fd54035161d75e8

SHA1
61eef416af2c777d7cc52888bb486666eef4b276

SHA256
cd0ed2995ecf53ef7526879474e124ebb49203d8c0a5a1858bbea46e2a13fa38

SHA512
de9b24c7e4d8b2f9873b808190a0af193a7f628b764b4d19d2e4f32cd0472eccb9e10799b2832758d428b2cb8ed6cc30ad23f1b99da08ae693cf0f790a1854aa

Download Submit
memory/2932-15-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-16-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

Filesize
64KB

Download
memory/2932-6-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-0-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/2932-3-0x00007FFD8D3CD000-0x00007FFD8D3CE000-memory.dmp

Filesize
4KB

Download
memory/2932-9-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-10-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-14-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-2-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/2932-5-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/2932-13-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-12-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-11-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-8-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-7-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-17-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

Filesize
64KB

Download
memory/2932-4-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/2932-34-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/2932-1-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads