3217397c6b12d88b5039a4c42848d8a6b03c37ecf322d9cf0836eebacc81149f

General

Target

3217397c6b12d88b5039a4c42848d8a6b03c37ecf322d9cf0836eebacc81149f.xlam
Size

157KB
MD5

164f7996b586499ba1ebdb8e10f5581e
SHA1

72c005e12d9ee2c33c161c37eccbea2b7922be12
SHA256

3217397c6b12d88b5039a4c42848d8a6b03c37ecf322d9cf0836eebacc81149f
SHA512

c88a1c95dc83bf8bbacbd93cf9d9519a23de7e0158c8f39b2a371963e58eba25610562097c9d679f868e7aa0799cc4bb91e78acf8b82a9d8d09e7c8bdf6e0790
SSDEEP

3072:FMKu+tcIroKu3COaWgPn8/wa+5pbthx0cLKCFj8Q8YwzpsYc4o+1HBZGBG:FM3nIrhu3Pa//tLvmQopcnqhZ6G

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
62	2956	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
2040	jivarthr edis.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3268	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Exl-47\docs.zip\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3916	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3916	EXCEL.EXE
3916	EXCEL.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 2040	3916	EXCEL.EXE	92
PID 3916 wrote to memory of 2040	3916	EXCEL.EXE	92

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3217397c6b12d88b5039a4c42848d8a6b03c37ecf322d9cf0836eebacc81149f.xlam"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\Exl-47\jivarthr edis.exe
  "C:\Users\Admin\Exl-47\jivarthr edis.exe"
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjFFNEFDREEtOEUzMC00Mjk1LThERkEtMUE1Q0Y2QkY4RkY0fSIgdXNlcmlkPSJ7RTI4NDI5OUUtMzBFOC00M0ZCLTgxODktQzMzRTFEMkJGRDc4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTg3Q0I3QTgtNTFBNi00RUNDLThBQzgtQjc3MDk0QzNFNjYyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTQ3NDIwMjU0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3217397c6b12d88b5039a4c42848d8a6b03c37ecf322d9cf0836eebacc81149f.xlam.xlsx

Filesize
11KB

MD5
afc4e11b0d104ebdb0bfb869803e99bb

SHA1
794e9a2f6dd374d0ff6d74faa1d87a7a2a7b6d30

SHA256
d1d6b2dbb200321b0d69db262591a8ee2d7e2c7320d11fc67fc11244206736c2

SHA512
3e46cd662af47e69623978e03158a2da59c6624acb37c67726c1377caf3d711498fec6bf3eafd4a76be6af3be887bd19d98d020b7e52fc69ec96854cf3398d44

Download Submit
C:\Users\Admin\Exl-47\docs.zip

Filesize
157KB

MD5
164f7996b586499ba1ebdb8e10f5581e

SHA1
72c005e12d9ee2c33c161c37eccbea2b7922be12

SHA256
3217397c6b12d88b5039a4c42848d8a6b03c37ecf322d9cf0836eebacc81149f

SHA512
c88a1c95dc83bf8bbacbd93cf9d9519a23de7e0158c8f39b2a371963e58eba25610562097c9d679f868e7aa0799cc4bb91e78acf8b82a9d8d09e7c8bdf6e0790

Download Submit
C:\Users\Admin\Exl-47\docs.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Exl-47\jivarthr edis.exe

Filesize
15.8MB

MD5
fed22809d70062733cd1c34e16b75c05

SHA1
4520676983fcc20cfc4ca5be1e2a7566f3491ffb

SHA256
947e75dc1f9b8a6d74a6d55afa7513ed86db907965cf0935ebb26c17f0ec6c5d

SHA512
b0f54b6e3d5917e9aebab614391ec8f1bb8c00ba9d366f707e02fa17582f4f7101aefa434291fd031d5bd0407c06dd2ed9fbabe5d7e8f5bd34bdb0240529c98d

Download Submit
C:\Users\Admin\Exl-47\xl\jivarthr edis.zip

Filesize
410KB

MD5
4eafa3bec4035e667774d517b2a2ebdb

SHA1
d34821f5a1a44d67f2da23e10d8e3846dec1645e

SHA256
edfe70cd0ebde54c87f6913958a66519c273b7f75dbd1dc4a3da9dd3a3e8e3e6

SHA512
fcd7408ab154cb9a5f5fb66c2c3966ab8921dff8b1cb5dcb98ffa18bff2c069cd6b752695dfaed6398d4e248b455e8b151b5267a1f45d715227bfb9222306f42

Download Submit
memory/2040-408-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2040-407-0x000000001C440000-0x000000001C4DC000-memory.dmp

Filesize
624KB

Download
memory/2040-406-0x000000001C9E0000-0x000000001CEAE000-memory.dmp

Filesize
4.8MB

Download
memory/3916-11-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-85-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-13-0x00007FFEC8510000-0x00007FFEC8520000-memory.dmp

Filesize
64KB

Download
memory/3916-14-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-17-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-19-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-18-0x00007FFEC8510000-0x00007FFEC8520000-memory.dmp

Filesize
64KB

Download
memory/3916-16-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-15-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-9-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-8-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-6-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-20-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-48-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-12-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-1-0x00007FFF0A58D000-0x00007FFF0A58E000-memory.dmp

Filesize
4KB

Download
memory/3916-10-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-5-0x00007FFECA570000-0x00007FFECA580000-memory.dmp

Filesize
64KB

Download
memory/3916-7-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-2-0x00007FFECA570000-0x00007FFECA580000-memory.dmp

Filesize
64KB

Download
memory/3916-4-0x00007FFECA570000-0x00007FFECA580000-memory.dmp

Filesize
64KB

Download
memory/3916-3-0x00007FFECA570000-0x00007FFECA580000-memory.dmp

Filesize
64KB

Download
memory/3916-0-0x00007FFECA570000-0x00007FFECA580000-memory.dmp

Filesize
64KB

Download
memory/3916-432-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-437-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-436-0x00007FFF0A58D000-0x00007FFF0A58E000-memory.dmp

Filesize
4KB

Download
memory/3916-441-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-442-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-446-0x00007FFF0A4F0000-0x00007FFF0A6E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads