60b394d7311f20c315f9deaf5f7baf58eacfa87516e5c7d69ae7832986c5b6fb

General

Target

60b394d7311f20c315f9deaf5f7baf58eacfa87516e5c7d69ae7832986c5b6fb.xls
Size

126KB
MD5

e247aaa372031fc38e6ba1896ff475b0
SHA1

c0c614584b737d95ac8d7aeea5f21825936a5351
SHA256

60b394d7311f20c315f9deaf5f7baf58eacfa87516e5c7d69ae7832986c5b6fb
SHA512

56fe7189a26896dc7c048b188f4dcce118c5b3b7919f5ac20dfb1c2e1a810020560a3880ba56938b4bf590b78238ab1431137d55390a22fc3d589f94e89cc5ba
SSDEEP

3072:LsKpbdrHYrMue8q7QPX+5xtekEdi8/dgR3Syz+nzQIceCRlC9:QKpbdrHYrMue8q7QPX+5xtFEdi8/dgRc

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

xlm40.dropper

http://izytalab.com/includes/1mafAX0kOa/

xlm40.dropper

https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

xlm40.dropper

http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

xlm40.dropper

https://wpl28.realtyna.com/wp-content/0b0ny5cPM/

xlm40.dropper

http://www.efcballjoint.com/Template/AxEZPOfAa9/

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3736	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid	Process
3736	EXCEL.EXE
3736	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid	Process
3736	EXCEL.EXE
3736	EXCEL.EXE
3736	EXCEL.EXE
3736	EXCEL.EXE
3736	EXCEL.EXE
3736	EXCEL.EXE
3736	EXCEL.EXE
3736	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\60b394d7311f20c315f9deaf5f7baf58eacfa87516e5c7d69ae7832986c5b6fb.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
5fefc3406041e81df3fa989c2b094f51

SHA1
b52cb6d7eaa1c2ad93a4fd0e08b73f390de4226e

SHA256
02d70c67a25a2c417c075656f79a6f2acb9ad6ec977d82b031067e543cd26cb2

SHA512
e04f466261a9ad203699c74a84faea806885d4011ab6728579c3e358d984ba3f994061b103f3c323d87367927e4814dcec6424c555a04054b542b81caaa03582

Download Submit
memory/3736-12-0x00007FFB1ED00000-0x00007FFB1ED10000-memory.dmp

Filesize
64KB

Download
memory/3736-41-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-5-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3736-4-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3736-2-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3736-7-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-6-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-10-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-9-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-11-0x00007FFB1ED00000-0x00007FFB1ED10000-memory.dmp

Filesize
64KB

Download
memory/3736-3-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3736-1-0x00007FFB60F0D000-0x00007FFB60F0E000-memory.dmp

Filesize
4KB

Download
memory/3736-16-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-15-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-14-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-18-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-17-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-13-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-38-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-39-0x00007FFB60F0D000-0x00007FFB60F0E000-memory.dmp

Filesize
4KB

Download
memory/3736-40-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-0-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3736-42-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3736-8-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads