5f1546c28e06698400fdb0c307bc82e4ab74ecac4913cbd106648f17a81e02ff

General

Target

scan 0003.xlsm
Size

78KB
MD5

74e2a78248c6f0a949f2bcd86d0315c8
SHA1

7209cc8af3c1704cd35aa5f9650335e50eba09ef
SHA256

5f1546c28e06698400fdb0c307bc82e4ab74ecac4913cbd106648f17a81e02ff
SHA512

99b74585e48d7f790ebdc512262307e955a7b71f1c283ba670b831138bb37a03a77936668d7adc7460f065bd364eecdd16dc6d8464cf09a6f2675a108b1461e6

Score

8^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1412 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1412 EXCEL.EXE
1412 EXCEL.EXE
1412 EXCEL.EXE
1412 EXCEL.EXE
1412 EXCEL.EXE

pid	process
1412	EXCEL.EXE

pid	process
1412	EXCEL.EXE
1412	EXCEL.EXE
1412	EXCEL.EXE
1412	EXCEL.EXE
1412	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1412 wrote to memory of 1828	1412	EXCEL.EXE	zhkwhljhg.exe
PID 1412 wrote to memory of 1828	1412	EXCEL.EXE	zhkwhljhg.exe
PID 1412 wrote to memory of 1828	1412	EXCEL.EXE	zhkwhljhg.exe
PID 1412 wrote to memory of 1828	1412	EXCEL.EXE	zhkwhljhg.exe

Executes dropped EXE 1 IoCs

Processes:

zhkwhljhg.exe

pid process

1828 zhkwhljhg.exe
Office loads VBA resources, possible macro or embedded object present

pid	process
1828	zhkwhljhg.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\scan 0003.xlsm"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
PID:1412

C:\Users\Public\zhkwhljhg.exe
"C:\Users\Public\zhkwhljhg.exe"
2⤵
- Executes dropped EXE
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\zhkwhljhg.exe

Download Submit
C:\Users\Public\zhkwhljhg.exe

Download Submit
memory/1412-0-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1412-2-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1412-3-0x00000000003D8000-0x00000000003DA000-memory.dmp

Filesize
8KB

Download
memory/1412-4-0x0000000006790000-0x0000000006890000-memory.dmp

Filesize
1024KB

Download
memory/1828-5-0x0000000000000000-mapping.dmp

Download
memory/1828-9-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing