a0c1193974c2f9f31dcf33f381fe61c3ed6593807d89cdcda18bde093f385505

General

Target

a0c1193974c2f9f31dcf33f381fe61c3ed6593807d89cdcda18bde093f385505.xlsm
Size

20KB
MD5

581493ba1e164329959471c71d4eb877
SHA1

8923214be0f945e8812bbff887f40a200de8a42e
SHA256

a0c1193974c2f9f31dcf33f381fe61c3ed6593807d89cdcda18bde093f385505
SHA512

75b898b8527fe70f95134d5ab65ecdbbb7acf328c270553d01c2698613b00ce8217970f4946997c7d7f668845e1d1db03fe7f0d36576e04acbbcbe0071b09ec4
SSDEEP

384:DA2Y5Vb1GNj20o4CGzPd6ZIwLJKb5CzgObff9kC+xbX7k7aU2d:E2EINro4FLAOCBn9kC+xbLkWf

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://bctconsulting.se/HelenaWEB/Xf1rQukg8HjfItb9x/

xlm40.dropper

https://binaghetta.it/wp-content/gdONbcsI6Q9/

xlm40.dropper

http://bnbengineering.com.pk/cgi-bin/6n8q1OFBzyGyPSJ/

xlm40.dropper

http://bytesenbits.nl/cgi-bin/OjOn8icwhyf22SzegYA/

xlm40.dropper

http://bioscan.ch/backup_nov05/n6S3o4q9dG8050/

xlm40.dropper

http://abildgren.dk/webmail/XY8XstOvGiLx/

xlm40.dropper

http://grworld.com.tr/fonts/TPxLPt9Us5ALpvY/

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1620 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1620 EXCEL.EXE
1620 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

1620 EXCEL.EXE
1620 EXCEL.EXE
1620 EXCEL.EXE
1620 EXCEL.EXE
1620 EXCEL.EXE
1620 EXCEL.EXE
1620 EXCEL.EXE
1620 EXCEL.EXE

pid	process
1620	EXCEL.EXE

pid	process
1620	EXCEL.EXE
1620	EXCEL.EXE

pid	process
1620	EXCEL.EXE
1620	EXCEL.EXE
1620	EXCEL.EXE
1620	EXCEL.EXE
1620	EXCEL.EXE
1620	EXCEL.EXE
1620	EXCEL.EXE
1620	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a0c1193974c2f9f31dcf33f381fe61c3ed6593807d89cdcda18bde093f385505.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
629cdf6f40631bd96db4bf23014652c4

SHA1
ae54bda589102991321292372e4f606800b4c327

SHA256
35766fb6da896394dba233127e2a9f90286c6d7228311933ceb1a2864a41e73e

SHA512
2b3db066198380e20779152226d5fc2b5798e9035817e69cc75b486efbb404a68a7bbed5329b31c29e4885e8ecb2c2493481d20bea2ed4ef066f7aafb4fab70f

Download Submit
memory/1620-20-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-1-0x00007FFB7022D000-0x00007FFB7022E000-memory.dmp

Filesize
4KB

Download
memory/1620-18-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-17-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-9-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-10-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-12-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-14-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-15-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-13-0x00007FFB2DE80000-0x00007FFB2DE90000-memory.dmp

Filesize
64KB

Download
memory/1620-21-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-0-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/1620-3-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/1620-2-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/1620-5-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-16-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-11-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-8-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-4-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/1620-7-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-6-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/1620-43-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-44-0x00007FFB7022D000-0x00007FFB7022E000-memory.dmp

Filesize
4KB

Download
memory/1620-45-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-46-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/1620-19-0x00007FFB2DE80000-0x00007FFB2DE90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads