f9790c9151deb69c4936c7798e925fc91f5cb689d8385c86327cd0052992cff6

General

Target

f9790c9151deb69c4936c7798e925fc91f5cb689d8385c86327cd0052992cff6.xlsm
Size

50KB
MD5

6e496339047173b963306043f0ddbfd2
SHA1

dad3926704ec038c55d86c98c4ee3c3fb1aa6d2f
SHA256

f9790c9151deb69c4936c7798e925fc91f5cb689d8385c86327cd0052992cff6
SHA512

f3c8448063aad7ec026240d2c90f3ec502cca00cba02b346c1010c809d6c3b566664fc19c09948d0fc95e2c11cb3be04735d408bfac19eec70c5152fb80a50ac
SSDEEP

768:nx9D9onsXslSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA0P4F:nXD9okncDSmSIBlGeuSEcm2h0BPu

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://centrobilinguelospinos.com/wp-admin/VrgzWT/

xlm40.dropper

http://boardingschoolsoftware.com/backup/CtMR5Yi/

xlm40.dropper

http://bsa.iain-jember.ac.id/asset/x0hMwOPVpkQSNoS8WCN/

xlm40.dropper

http://ctha.uy/cgi-bin/zGhvZLq6kSV1L1Vi/

xlm40.dropper

https://descontador.com.br/css/q5nrG6ua/

xlm40.dropper

http://letea.eu/wp-content/3GgF4miFZTq9/

xlm40.dropper

http://quoctoan.c1.biz/wp-admin/j8Zu/

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4860 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4860 EXCEL.EXE
4860 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

4860 EXCEL.EXE
4860 EXCEL.EXE
4860 EXCEL.EXE
4860 EXCEL.EXE
4860 EXCEL.EXE
4860 EXCEL.EXE
4860 EXCEL.EXE
4860 EXCEL.EXE

pid	process
4860	EXCEL.EXE

pid	process
4860	EXCEL.EXE
4860	EXCEL.EXE

pid	process
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f9790c9151deb69c4936c7798e925fc91f5cb689d8385c86327cd0052992cff6.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
b024094dd9c0a191b31bc05a51ac33f2

SHA1
0c9ea9e7572f940b70d386884ef0069c4ce16910

SHA256
55ff3300f88f126b5f7e97fb6f1fa404935fcf1fb352b61b865f223f4aa97a3a

SHA512
ae98a8a585db3c3b5c79f175eb7de0c883a39cd9c647c5f9ff36e320bca26f29f0ec7a44ceb07ce109131faf71afb89bfe4f28b3108be3d30fd224e9365cd50c

Download Submit
memory/4860-15-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-5-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/4860-14-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-4-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/4860-16-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-6-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-9-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-17-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-7-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-10-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-13-0x00007FFB2DE80000-0x00007FFB2DE90000-memory.dmp

Filesize
64KB

Download
memory/4860-1-0x00007FFB7022D000-0x00007FFB7022E000-memory.dmp

Filesize
4KB

Download
memory/4860-3-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/4860-2-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download
memory/4860-8-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-20-0x00007FFB2DE80000-0x00007FFB2DE90000-memory.dmp

Filesize
64KB

Download
memory/4860-21-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-19-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-18-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-12-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-11-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-31-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-32-0x00007FFB7022D000-0x00007FFB7022E000-memory.dmp

Filesize
4KB

Download
memory/4860-33-0x00007FFB70190000-0x00007FFB70385000-memory.dmp

Filesize
2.0MB

Download
memory/4860-0-0x00007FFB30210000-0x00007FFB30220000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads