f03234e69c590e38fb19c15c19a1b1526da18d6ea8d2634ae9fd81dbf5168b2c

General

Target

0b1145386e54c133263fc6e8a9a71ed5.xlsm
Size

233KB
MD5

0b1145386e54c133263fc6e8a9a71ed5
SHA1

425de0627c45d39118b4ab7e15e07fc97df1f31f
SHA256

f03234e69c590e38fb19c15c19a1b1526da18d6ea8d2634ae9fd81dbf5168b2c
SHA512

4ec6e54b0a4e578cd99113c77fe85ffac691f013cf4f78f052d48a51a9b8258ceea42c5666791444ebb752731a0e4bba1907f38ff042bc92ac26926f1c66a73e
SSDEEP

3072:SjAeN0RKSwCchO7e/1GrpdXx6sj848QjWvpGtdWWDDEAB7VaQFhIcB6tOVRa1J:SDNSLcq+YXEsWpGj53ha7o+0O

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3344	4100	MSHTA.exe	87

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4100	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4100	EXCEL.EXE
4100	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0b1145386e54c133263fc6e8a9a71ed5.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4100
- C:\Windows\SYSTEM32\MSHTA.exe
  MSHTA C:\ProgramData\qFnTH.sct
  2⤵
  - Process spawned unexpected child process
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qFnTH.sct

Filesize
25KB

MD5
ab4e961577cc7e8cf23e8551e9a1801c

SHA1
89f1e33bac334bfb47cfa936d6a1b443fab8d53d

SHA256
d1fc0ea77951ab31970b1877dab1df28fb0660129adea0447072ff7b6fc09cde

SHA512
ee04417d3c5a344489a51df30d7afa64debf6a3fae832e983c1e4da822fe4b6cd14d99dbf806aeeac2ddaa6c45ccfead6be492e6db9bc31abac39e2e00c31165

Download Submit
memory/4100-14-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-64-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-4-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-2-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-5-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-6-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-7-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-8-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-9-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-10-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-11-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-12-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-66-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-3-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-28-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-22-0x00007FFDE64B0000-0x00007FFDE64C0000-memory.dmp

Filesize
64KB

Download
memory/4100-26-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-27-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-15-0x00007FFDE64B0000-0x00007FFDE64C0000-memory.dmp

Filesize
64KB

Download
memory/4100-1-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-59-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-60-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-62-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-61-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-63-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-0-0x00007FFDE8A30000-0x00007FFDE8A40000-memory.dmp

Filesize
64KB

Download
memory/4100-65-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4100-13-0x00007FFE289B0000-0x00007FFE28BA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads