0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a

Analysis

max time kernel
133s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-01-2022 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm
Size

83KB
MD5

5610c5825e0a6dfdeff609a7892a5248
SHA1

3d51a54040324acc824c1b9beb8cb042e923fb76
SHA256

0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a
SHA512

81f025d1171ec68e1b67dd57778d8475382a6c70c9815931f9a3e4c24f5dd50d98ff096598669de5c0bb191ab22a7e0e8e6b88ff73a068ef6e12cbb9548d38f0

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://adi.iswks.com/assets/hO1v71pqfNN/

xlm40.dropper

http://kopbhawan.com/mdphht/fwqEBVQlJXHayt/

xlm40.dropper

http://towardsun.net/admin/dcg3jSLkPuYsQ5xB/

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3632 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

3632 EXCEL.EXE
3632 EXCEL.EXE
3632 EXCEL.EXE
3632 EXCEL.EXE
3632 EXCEL.EXE
3632 EXCEL.EXE
3632 EXCEL.EXE
3632 EXCEL.EXE

pid	process
3632	EXCEL.EXE

pid	process
3632	EXCEL.EXE
3632	EXCEL.EXE
3632	EXCEL.EXE
3632	EXCEL.EXE
3632	EXCEL.EXE
3632	EXCEL.EXE
3632	EXCEL.EXE
3632	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3632-115-0x00007FFE1F5B0000-0x00007FFE1F5C0000-memory.dmp

Filesize
64KB

Download
memory/3632-116-0x00007FFE1F5B0000-0x00007FFE1F5C0000-memory.dmp

Filesize
64KB

Download
memory/3632-117-0x00007FFE1F5B0000-0x00007FFE1F5C0000-memory.dmp

Filesize
64KB

Download
memory/3632-118-0x00007FFE1F5B0000-0x00007FFE1F5C0000-memory.dmp

Filesize
64KB

Download
memory/3632-120-0x000001ABED730000-0x000001ABED732000-memory.dmp

Filesize
8KB

Download
memory/3632-119-0x000001ABED730000-0x000001ABED732000-memory.dmp

Filesize
8KB

Download
memory/3632-121-0x00007FFE1F5B0000-0x00007FFE1F5C0000-memory.dmp

Filesize
64KB

Download
memory/3632-122-0x000001ABED730000-0x000001ABED732000-memory.dmp

Filesize
8KB

Download