ac60a8f387089c73f3164a298d6912e2638fc7f470d1952a77f44268a4e61e8f

Analysis

max time kernel
133s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac60a8f387089c73f3164a298d6912e2638fc7f470d1952a77f44268a4e61e8f.xls
Size

70KB
MD5

1a79ffcf7a8429035d2becade59ffb2f
SHA1

61940c6361cd38b27cd57cc436b1420c33b438d5
SHA256

ac60a8f387089c73f3164a298d6912e2638fc7f470d1952a77f44268a4e61e8f
SHA512

de0084638365e90228e1c045d96fbd02098bea8162c47a2d169ffdaa17305f7f093f9d4dc031d88265c70bca8dc3b7d4b3b17e7ecaf63db8f7fd86b3418b41c1
SSDEEP

1536:5+Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgAYW/ESKQHS1yXJFadK0FB:kKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgf

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://farschid.de/verkaufsberater_service/OZRw36a2y1CH2clUzY/

xlm40.dropper

http://77homolog.com.br/dev-jealves/GP55wbYNXnp6/

xlm40.dropper

http://geowf.ge/templates/pJRea3Iu3wG/

xlm40.dropper

http://h63402x4.beget.tech/bin/wl0ENiE3BhELXV6V/

xlm40.dropper

http://ecoarch.com.tw/cgi-bin/E/

xlm40.dropper

https://galaxy-catering.com.vn/galxy/Fg1vvhlYJ/

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2540	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2540	EXCEL.EXE
2540	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac60a8f387089c73f3164a298d6912e2638fc7f470d1952a77f44268a4e61e8f.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
2d89f1516c10edbff60c44878b0769a7

SHA1
0f1763c15dc58d2477ce27f3f4c9c7a443de6628

SHA256
9948b60670a2f0c304aa00decf3da3840c2b963a4124c2a9f13df62550be1417

SHA512
083a1a4d322c1ef0e1ad288fa746268ded20c0f8118c4307e53f9a9ae04a15d8908a977a68c3feb677293de923703f4b8a1224b1ce76dcc0c7d11bcb91811150

Download Submit
memory/2540-14-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-12-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-4-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/2540-2-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/2540-5-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-6-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-9-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-10-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-13-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-16-0x00007FFACEAB0000-0x00007FFACEAC0000-memory.dmp

Filesize
64KB

Download
memory/2540-3-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/2540-15-0x00007FFACEAB0000-0x00007FFACEAC0000-memory.dmp

Filesize
64KB

Download
memory/2540-1-0x00007FFB113CD000-0x00007FFB113CE000-memory.dmp

Filesize
4KB

Download
memory/2540-18-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-17-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-11-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-8-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-7-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download
memory/2540-28-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-29-0x00007FFB113CD000-0x00007FFB113CE000-memory.dmp

Filesize
4KB

Download
memory/2540-30-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Filesize
2.0MB

Download
memory/2540-0-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads