5f1546c28e06698400fdb0c307bc82e4ab74ecac4913cbd106648f17a81e02ff

General

Target

scan 0003.xlsm
Size

78KB
MD5

74e2a78248c6f0a949f2bcd86d0315c8
SHA1

7209cc8af3c1704cd35aa5f9650335e50eba09ef
SHA256

5f1546c28e06698400fdb0c307bc82e4ab74ecac4913cbd106648f17a81e02ff
SHA512

99b74585e48d7f790ebdc512262307e955a7b71f1c283ba670b831138bb37a03a77936668d7adc7460f065bd364eecdd16dc6d8464cf09a6f2675a108b1461e6

Score

9^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zhkwhljhg.exe

pid process

2752 zhkwhljhg.exe

pid	process
2752	zhkwhljhg.exe

ServiceHost packer 7 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2752-10-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2752-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2752-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2752-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2752-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2752-15-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2752-16-0x0000000000000000-mapping.dmp	servicehost

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1568 EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1568 wrote to memory of 2752	1568	EXCEL.EXE	zhkwhljhg.exe
PID 1568 wrote to memory of 2752	1568	EXCEL.EXE	zhkwhljhg.exe
PID 1568 wrote to memory of 2752	1568	EXCEL.EXE	zhkwhljhg.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3792 2752 WerFault.exe zhkwhljhg.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3792 WerFault.exe
Token: SeBackupPrivilege 3792 WerFault.exe
Token: SeDebugPrivilege 3792 WerFault.exe

pid	pid_target	process	target process
3792	2752	WerFault.exe	zhkwhljhg.exe

description	pid	process
Token: SeRestorePrivilege	3792	WerFault.exe
Token: SeBackupPrivilege	3792	WerFault.exe
Token: SeDebugPrivilege	3792	WerFault.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan 0003.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Public\zhkwhljhg.exe
"C:\Users\Public\zhkwhljhg.exe"
2⤵
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1148
3⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\zhkwhljhg.exe

Download Submit
C:\Users\Public\zhkwhljhg.exe

Download Submit
memory/2752-14-0x0000000000000000-mapping.dmp

Download
memory/2752-10-0x0000000000000000-mapping.dmp

Download
memory/2752-11-0x0000000000000000-mapping.dmp

Download
memory/2752-12-0x0000000000000000-mapping.dmp

Download
memory/2752-13-0x0000000000000000-mapping.dmp

Download
memory/2752-4-0x0000000000000000-mapping.dmp

Download
memory/2752-15-0x0000000000000000-mapping.dmp

Download
memory/2752-16-0x0000000000000000-mapping.dmp

Download
memory/3792-7-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3792-8-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3792-17-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads