Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows11-21h2-x64

3

The-MALWAR...ll.exe

windows11-21h2-x64

10

The-MALWAR...BS.exe

windows11-21h2-x64

10

The-MALWAR...in.exe

windows11-21h2-x64

7

The-MALWAR....A.exe

windows11-21h2-x64

1

The-MALWAR....A.exe

windows11-21h2-x64

10

The-MALWAR....A.dll

windows11-21h2-x64

6

The-MALWAR...r.xlsm

windows11-21h2-x64

10

The-MALWAR...36c859

windows11-21h2-x64

1

The-MALWAR...caa742

windows11-21h2-x64

1

The-MALWAR...c1a732

windows11-21h2-x64

1

The-MALWAR...57c046

windows11-21h2-x64

1

The-MALWAR...4cde86

windows11-21h2-x64

1

The-MALWAR...460a01

windows11-21h2-x64

1

The-MALWAR...ece0c5

windows11-21h2-x64

1

The-MALWAR...257619

windows11-21h2-x64

1

The-MALWAR...fbcc59

windows11-21h2-x64

1

The-MALWAR...54f69c

windows11-21h2-x64

1

The-MALWAR...d539a6

windows11-21h2-x64

1

The-MALWAR...4996dd

windows11-21h2-x64

1

The-MALWAR...8232d5

windows11-21h2-x64

1

The-MALWAR...66b948

windows11-21h2-x64

1

The-MALWAR...f9db86

windows11-21h2-x64

1

The-MALWAR...ea2485

windows11-21h2-x64

1

The-MALWAR...us.exe

windows11-21h2-x64

6

The-MALWAR....a.exe

windows11-21h2-x64

1

The-MALWAR....a.exe

windows11-21h2-x64

7

The-MALWAR...ok.exe

windows11-21h2-x64

1

The-MALWAR...y.html

windows11-21h2-x64

1

The-MALWAR...ft.exe

windows11-21h2-x64

4

The-MALWAR...en.exe

windows11-21h2-x64

6

The-MALWAR...min.js

windows11-21h2-x64

1

Analysis

  • max time kernel
    1396s
  • max time network
    1173s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-12-2023 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm

  • Size

    93KB

  • MD5

    b36a0543b28f4ad61d0f64b729b2511b

  • SHA1

    bf62dc338b1dd50a3f7410371bc3f2206350ebea

  • SHA256

    90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c

  • SHA512

    cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037

  • SSDEEP

    1536:0sqG3SkDNIVXnR8TeYSSkCXgN+Uu+j6XJaRqWD/0ACKNONUhfy:0sNrxWXnCjiubXKD/EQA

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4400
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Windows\system32\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 4400
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3608-14-0x00007FFB363D0000-0x00007FFB363E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-2-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-1-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-3-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-5-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-7-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-6-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-4-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-8-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-9-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-11-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-10-0x00007FFB363D0000-0x00007FFB363E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-12-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3608-13-0x00007FFB771C0000-0x00007FFB7727D000-memory.dmp
    Filesize

    756KB

    Download
  • memory/3608-31-0x00007FFB771C0000-0x00007FFB7727D000-memory.dmp
    Filesize

    756KB

    Download
  • memory/3608-0-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3608-30-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4396-34-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4396-24-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4396-29-0x00007FFB771C0000-0x00007FFB7727D000-memory.dmp
    Filesize

    756KB

    Download
  • memory/4396-20-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4396-41-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4396-22-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4396-35-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4396-39-0x00007FFB771C0000-0x00007FFB7727D000-memory.dmp
    Filesize

    756KB

    Download
  • memory/4396-38-0x00007FFB771C0000-0x00007FFB7727D000-memory.dmp
    Filesize

    756KB

    Download
  • memory/4396-36-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4396-37-0x00007FFB38670000-0x00007FFB38680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4396-40-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4396-19-0x00007FFB785E0000-0x00007FFB787E9000-memory.dmp
    Filesize

    2.0MB

    Download