Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-05-2020 15:54
Static task
static1
Behavioral task
behavioral1
Sample
29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm
Resource
win7v200430
General
-
Target
29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm
-
Size
86KB
-
MD5
a758f5bfaeb275b5dfaf5be55a8b087b
-
SHA1
eff178dfef00ee753f4a540107632e43ec4a4ef9
-
SHA256
29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366
-
SHA512
7e96b281aa9433bb05073ff0ee9cb9d94384ef6cf9b801d11d5d420d647c79310f18485fab340afa8d0eb9bcdc64ec7cf885ee5636fc7edcfbbfe54ff208f364
Malware Config
Signatures
-
Runs net.exe
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1824 set thread context of 1560 1824 rundll32.exe msiexec.exe -
Blacklisted process makes network request 10 IoCs
Processes:
msiexec.exeflow pid process 19 1560 msiexec.exe 20 1560 msiexec.exe 21 1560 msiexec.exe 22 1560 msiexec.exe 23 1560 msiexec.exe 24 1560 msiexec.exe 25 1560 msiexec.exe 26 1560 msiexec.exe 27 1560 msiexec.exe 28 1560 msiexec.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1828 1304 rundll32.exe EXCEL.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msiexec.exepid process 1560 msiexec.exe -
Processes:
EXCEL.EXEmsiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1304 EXCEL.EXE -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1304 wrote to memory of 1828 1304 EXCEL.EXE rundll32.exe PID 1304 wrote to memory of 1828 1304 EXCEL.EXE rundll32.exe PID 1304 wrote to memory of 1828 1304 EXCEL.EXE rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1824 1828 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1824 wrote to memory of 1560 1824 rundll32.exe msiexec.exe PID 1560 wrote to memory of 820 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 820 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 820 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 820 1560 msiexec.exe cmd.exe PID 820 wrote to memory of 2020 820 cmd.exe ipconfig.exe PID 820 wrote to memory of 2020 820 cmd.exe ipconfig.exe PID 820 wrote to memory of 2020 820 cmd.exe ipconfig.exe PID 820 wrote to memory of 2020 820 cmd.exe ipconfig.exe PID 1560 wrote to memory of 2044 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 2044 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 2044 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 2044 1560 msiexec.exe cmd.exe PID 2044 wrote to memory of 1460 2044 cmd.exe net.exe PID 2044 wrote to memory of 1460 2044 cmd.exe net.exe PID 2044 wrote to memory of 1460 2044 cmd.exe net.exe PID 2044 wrote to memory of 1460 2044 cmd.exe net.exe PID 1460 wrote to memory of 760 1460 net.exe net1.exe PID 1460 wrote to memory of 760 1460 net.exe net1.exe PID 1460 wrote to memory of 760 1460 net.exe net1.exe PID 1460 wrote to memory of 760 1460 net.exe net1.exe PID 1560 wrote to memory of 892 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 892 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 892 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 892 1560 msiexec.exe cmd.exe PID 892 wrote to memory of 1728 892 cmd.exe net.exe PID 892 wrote to memory of 1728 892 cmd.exe net.exe PID 892 wrote to memory of 1728 892 cmd.exe net.exe PID 892 wrote to memory of 1728 892 cmd.exe net.exe PID 1560 wrote to memory of 1496 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 1496 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 1496 1560 msiexec.exe cmd.exe PID 1560 wrote to memory of 1496 1560 msiexec.exe cmd.exe PID 1496 wrote to memory of 1076 1496 cmd.exe net.exe PID 1496 wrote to memory of 1076 1496 cmd.exe net.exe PID 1496 wrote to memory of 1076 1496 cmd.exe net.exe PID 1496 wrote to memory of 1076 1496 cmd.exe net.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1560 msiexec.exe Token: SeSecurityPrivilege 1560 msiexec.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm1⤵
- Suspicious use of SetWindowsHookEx
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" mHMUKpx.dll,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" mHMUKpx.dll,DllRegisterServer3⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe4⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation7⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all6⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all /domain6⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\mHMUKpx.dll
-
\Users\Admin\Documents\mHMUKpx.dll
-
\Users\Admin\Documents\mHMUKpx.dll
-
\Users\Admin\Documents\mHMUKpx.dll
-
\Users\Admin\Documents\mHMUKpx.dll
-
memory/1560-5-0x0000000000090000-0x00000000000C7000-memory.dmpFilesize
220KB
-
memory/1560-6-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1560-7-0x0000000000090000-0x00000000000C7000-memory.dmpFilesize
220KB