d76fa4833302d945ff621243f969001781fd5d57d2b561426802b20a476dcf58

General

Target

bdfa89a71da55bbad42a0edf3042dd4bea846a662a97fdfd376e492f3629ee96.xlsm
Size

114KB
MD5

7dd9cb1214ebc35eaa27dedb4d92d01c
SHA1

582ca6e064f447201874fd7701f7209099dc8f4a
SHA256

bdfa89a71da55bbad42a0edf3042dd4bea846a662a97fdfd376e492f3629ee96
SHA512

511a26fa3766dc52acb96355fc6d3782ebb967d806f02f5a4e52e969002e517934d36ad72e2cfd5fd58909d6c3fce40dc21e4534bea6e4daad118fa65586c247

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://185.183.99.115/44313,6048108796.dat

xlm40.dropper

http://51.89.73.159/44313,6048108796.dat

xlm40.dropper

http://190.14.37.38/44313,6048108796.dat

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bdfa89a71da55bbad42a0edf3042dd4bea846a662a97fdfd376e492f3629ee96.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-114-0x00007FF709D80000-0x00007FF70D336000-memory.dmp

Filesize
53.7MB

Download
memory/1096-115-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-116-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-117-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-118-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-121-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-122-0x00007FF8821D0000-0x00007FF8832BE000-memory.dmp

Filesize
16.9MB

Download
memory/1096-123-0x0000017B53820000-0x0000017B55715000-memory.dmp

Filesize
31.0MB

Download
memory/1096-269-0x0000017B67280000-0x0000017B67284000-memory.dmp

Filesize
16KB

Download
memory/1096-304-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-305-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-306-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/1096-307-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads