7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862

General

Target

7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862.xls
Size

71KB
MD5

7d7d21d0c976b9711aa88f72bacc8f13
SHA1

544b7bd2a8422f013cdd5dd85d679fbf1d4ca486
SHA256

7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862
SHA512

df1c0634912caff5ad17ef2a1ed47a2f6c2a7348887cff482ce089aff883c1f08d7c8b679709243aa33ed36b491faf3844488c1e4d5fde5bb27d534cff5acfe8
SSDEEP

1536:DhKpb8rGYrMPe3q7Q0XV5xtezE8vG8UM+gH+hDcnTLiQrRTZws8EYO:FKpb8rGYrMPe3q7Q0XV5xtezE8vG8UMv

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://papillonweb.fr/wp-content/G8z08q0mj/

xlm40.dropper

http://brennanasia.com/images/6IwPBHbnUvfgugV1b/

xlm40.dropper

https://estacioesportivavilanovailageltru.cat/tmp/IgSyqwgJmE/

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1884	4148	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2964	4148	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4272	4148	regsvr32.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4148 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4148 EXCEL.EXE
4148 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE
4148	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 4148 wrote to memory of 1884	4148	EXCEL.EXE	regsvr32.exe
PID 4148 wrote to memory of 1884	4148	EXCEL.EXE	regsvr32.exe
PID 4148 wrote to memory of 2964	4148	EXCEL.EXE	regsvr32.exe
PID 4148 wrote to memory of 2964	4148	EXCEL.EXE	regsvr32.exe
PID 4148 wrote to memory of 4272	4148	EXCEL.EXE	regsvr32.exe
PID 4148 wrote to memory of 4272	4148	EXCEL.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\usoiy1.ocx
  2⤵
  - Process spawned unexpected child process
  PID:1884
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\usoiy2.ocx
  2⤵
  - Process spawned unexpected child process
  PID:2964
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\usoiy3.ocx
  2⤵
  - Process spawned unexpected child process
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
568bada6e136664b88648eeeec377273

SHA1
6dba6ede00426a36d60038d2244f9fdfde5ac098

SHA256
5f236701114704eae6433b0db66ecc0a05e4c9144337513f8d14f2320e7bda1a

SHA512
23a847859ca0ba4c3f233eee4f9dac5a86aeba09e9d5266379bfa7bdd1b953aead00a5be2c25759631517ec96cb7fe909d2d42e04dc095824c6f925f1cccefc7

Download Submit
C:\Users\Admin\usoiy1.ocx

Filesize
111KB

MD5
a32ddff026d0c45aec7bf4c84fb00e6f

SHA1
377fa6800165a19b9f2b760ba1b970ab3c09d3ae

SHA256
79a01b0fa26cfd15bd528c57d32d2bb6e6a984f2b0f4d95d7b24dfcf1dcb89e9

SHA512
de15e922e1bf7c43e73050acaedaa1b9c7978cf3ac29ccd24ce114617a93cd6d6fa035f9226bd32fa2c72892ffb8fdf92665b322e90ffeb82d85f306ee30cf9e

Download Submit
C:\Users\Admin\usoiy3.ocx

Filesize
75KB

MD5
e4841206fed7dcc05abeb2543cc24acb

SHA1
1a7ee4436d935c1aab414653dd81388059b2c948

SHA256
a1d9b74e0513145be6e2aa9d0cc6ed8eb75a64b67c7b65e5c351212df7ed46df

SHA512
cd9235ac4ab25c6c55d03bf8a59b7e248179da3f1469974f48e1c1e783e6194e2c7f9bc925398ad256b36dd93c0ec59cc2d614daca62b9579652bfc83978c8b1

Download Submit
memory/4148-10-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-9-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-7-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-8-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

Filesize
64KB

Download
memory/4148-5-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

Filesize
64KB

Download
memory/4148-6-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-11-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-12-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-13-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

Filesize
64KB

Download
memory/4148-0-0x00007FFE4E96D000-0x00007FFE4E96E000-memory.dmp

Filesize
4KB

Download
memory/4148-14-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

Filesize
64KB

Download
memory/4148-4-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-15-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-16-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-1-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

Filesize
64KB

Download
memory/4148-40-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-42-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-41-0x00007FFE4E96D000-0x00007FFE4E96E000-memory.dmp

Filesize
4KB

Download
memory/4148-2-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

Filesize
64KB

Download
memory/4148-48-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4148-3-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads