Analysis
-
max time kernel
155s -
max time network
140s -
platform
windows10_x64 -
resource
win10-20220310-en -
submitted
14-03-2022 20:16
Behavioral task
behavioral1
Sample
8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578.xlsm
Resource
win10-20220310-en
Behavioral task
behavioral2
Sample
8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578.xlsm
Resource
win10-20220310-en
General
-
Target
8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578.xlsm
-
Size
48KB
-
MD5
1655267f2eef17c7bea81ee6cf65fbf9
-
SHA1
dd062a715bd8eee2b8b4d30e6786e5b108b63c1a
-
SHA256
8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578
-
SHA512
3b0f05743a81756ef75e8da15e393f40365c71d7e986141bfb467acd8a232581cc5bd01953ed61b6129652ebd9517b1282f01fbbe2e808aa70dc3c906bbb726d
Malware Config
Extracted
http://www.arkpp.com/ARIS-BSU/9K1/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3136 2472 regsvr32.exe EXCEL.EXE -
Downloads MZ/PE file
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2472 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
EXCEL.EXEpid process 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE 2472 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2472 wrote to memory of 3136 2472 EXCEL.EXE regsvr32.exe PID 2472 wrote to memory of 3136 2472 EXCEL.EXE regsvr32.exe PID 2472 wrote to memory of 3136 2472 EXCEL.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEPID:2472"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578.xlsm"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\regsvr32.exePID:3136C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dllProcess spawned unexpected child process
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
memory/2472-118-0x00007FFB7EB50000-0x00007FFB7EB60000-memory.dmpFilesize
64KB
-
memory/2472-119-0x00007FFB7EB50000-0x00007FFB7EB60000-memory.dmpFilesize
64KB
-
memory/2472-120-0x00007FFB7EB50000-0x00007FFB7EB60000-memory.dmpFilesize
64KB
-
memory/2472-121-0x00007FFB7EB50000-0x00007FFB7EB60000-memory.dmpFilesize
64KB
-
memory/2472-122-0x00007FFBBEAC0000-0x00007FFBBEC9B000-memory.dmpFilesize
1MB
-
memory/2472-123-0x00007FFBBCA90000-0x00007FFBBCB3E000-memory.dmpFilesize
696KB