82f3b8fc86215f5334fe72560b75c128add25e6df7d066cd1e8af8c696be1dfd

General

Target

82f3b8fc86215f5334fe72560b75c128add25e6df7d066cd1e8af8c696be1dfd.xls
Size

95KB
MD5

0e04ccbfd1b7263aa2058420db1f5ed8
SHA1

b71316cb4b1d884c32012475f6699c6421c964b2
SHA256

82f3b8fc86215f5334fe72560b75c128add25e6df7d066cd1e8af8c696be1dfd
SHA512

b1706ad919d475a82e422af0ba56e20c592508c71e0e5ff3ab4d2cf1bf3f9c50e20f8b553878dcb264996edd42983727a386d3cb3463b5678f6f8218a1d68419
SSDEEP

1536:UkKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgNHuS4hcTO97v7UYdEJm9:bKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgA

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://fikti.bem.gunadarma.ac.id/SDM/YH8OJ1Zz8miBX/

xlm40.dropper

http://ebuysa.co.za/yt-assets/yZ30/

xlm40.dropper

http://3dstudioa.com.br/files/1ubPAB/

xlm40.dropper

http://boardmart.co.za/images/DvMHPbTLn/

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2924	3044	regsvr32.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	976	3044	regsvr32.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2828	3044	regsvr32.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1384	3044	regsvr32.exe	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3044	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3044	EXCEL.EXE
3044	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2924	3044	EXCEL.EXE	92
PID 3044 wrote to memory of 2924	3044	EXCEL.EXE	92
PID 3044 wrote to memory of 976	3044	EXCEL.EXE	94
PID 3044 wrote to memory of 976	3044	EXCEL.EXE	94
PID 3044 wrote to memory of 2828	3044	EXCEL.EXE	98
PID 3044 wrote to memory of 2828	3044	EXCEL.EXE	98
PID 3044 wrote to memory of 1384	3044	EXCEL.EXE	103
PID 3044 wrote to memory of 1384	3044	EXCEL.EXE	103

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\82f3b8fc86215f5334fe72560b75c128add25e6df7d066cd1e8af8c696be1dfd.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
  2⤵
  - Process spawned unexpected child process
  PID:2924
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
  2⤵
  - Process spawned unexpected child process
  PID:976
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
  2⤵
  - Process spawned unexpected child process
  PID:2828
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
  2⤵
  - Process spawned unexpected child process
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
2c75fd1ae44a70f7b55de2813bc7c958

SHA1
57dc5dc0e8401d8476612d9e533d7358c49c3acc

SHA256
3f8b1213cb1c620bb2b5c739fe0b635d8153d5fbb9bf1dc21b53c173fbe251e3

SHA512
79d4ff55de83e14228cd77936600ef6dd0beafb07c2c5b30d782cfbba266d65676c761593a7ff4c650cf922455b2bd290e74322fa9c3c159427c0324136901a9

Download Submit
memory/3044-17-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/3044-5-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-2-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3044-6-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3044-4-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3044-7-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-0-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3044-10-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-13-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-12-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-3-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3044-15-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-9-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-18-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/3044-14-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-11-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-16-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-20-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-19-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-8-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-40-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-41-0x00007FF99A24D000-0x00007FF99A24E000-memory.dmp

Filesize
4KB

Download
memory/3044-42-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3044-1-0x00007FF99A24D000-0x00007FF99A24E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads