ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f

Analysis

max time kernel
139s
max time network
134s
platform
windows10_x64
resource
win10v20201028
submitted
13/11/2020, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Information.xlsb
Size

20KB
MD5

4dddb0320eac6050d6360c92c104d05c
SHA1

816db7af62de3dc200b88357a5341c6ce184cc93
SHA256

ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f
SHA512

b177b5faa839aeead6c9c732b0182b928903dd34e02d968b95cd93b2f3f01c3b72043c9dafcb6a96a9d1eeb67e4e12abaf537f7ac32b3d166d7f82914844881d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	672	1048	regsvr32.exe	68

Loads dropped DLL 1 IoCs

pid	Process
644	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3080	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FA4161A-25A1-11EB-B59A-52BC0BFFD7E7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30849453"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80494be7adb9d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0803ae7adb9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3827347098"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30849453"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000db23f97af8a214a9da3619968f11747c516bfe4634f50f6dcb8b5fafa7f90ef8000000000e80000000020000200000001458d03affe55a775ac3b61f032205158ac6d451837c785b49026a0760df5bde20000000171ab48a8c9b24cfaa4c008dde4671d4714df3b2db7a98bc18fd3280bc51e5ae40000000b384c56caa8b0d2c954a1f9c2d8d1f7d33738e33f7b68e4e57ae7275a4efcc16e55f826114453e3f137f80d764cb43e901b2b6e3c4f5cea57845729a681ab70c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3827347098"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000d68ce214c6e129f098f8e4cb42a6d3d12dcd9b24b1b3f4f8bb57fdbe5af81af5000000000e80000000020000200000008820f002ac0025ceb93c2492b84f708098f8a3d615a879c5ccae74f351d5c1272000000025f9157bc716696a798f67552051e7eeee87ece3400cad7c1ca4a76f65cc4a4840000000d44dbdd3cdb5e348fee702ad733cb6fc723b2e991deac91a115c0b8a49baa31453e4fe42f01edaada0ecce9880702c886603abaf37669096eb6487e0ac4301a8	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1048	EXCEL.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3080	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1460	powershell.exe
1800	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1348	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1348	iexplore.exe
1348	iexplore.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 672	1048	EXCEL.EXE	77
PID 1048 wrote to memory of 672	1048	EXCEL.EXE	77
PID 672 wrote to memory of 644	672	regsvr32.exe	78
PID 672 wrote to memory of 644	672	regsvr32.exe	78
PID 672 wrote to memory of 644	672	regsvr32.exe	78
PID 1348 wrote to memory of 2536	1348	iexplore.exe	85
PID 1348 wrote to memory of 2536	1348	iexplore.exe	85
PID 1348 wrote to memory of 2536	1348	iexplore.exe	85
PID 2212 wrote to memory of 3928	2212	cmd.exe	88
PID 2212 wrote to memory of 3928	2212	cmd.exe	88
PID 3928 wrote to memory of 3172	3928	forfiles.exe	90
PID 3928 wrote to memory of 3172	3928	forfiles.exe	90
PID 3172 wrote to memory of 1460	3172	cmd.exe	91
PID 3172 wrote to memory of 1460	3172	cmd.exe	91
PID 1460 wrote to memory of 3656	1460	powershell.exe	92
PID 1460 wrote to memory of 3656	1460	powershell.exe	92
PID 3656 wrote to memory of 3804	3656	csc.exe	93
PID 3656 wrote to memory of 3804	3656	csc.exe	93
PID 1460 wrote to memory of 3188	1460	powershell.exe	94
PID 1460 wrote to memory of 3188	1460	powershell.exe	94
PID 3188 wrote to memory of 616	3188	csc.exe	95
PID 3188 wrote to memory of 616	3188	csc.exe	95
PID 1460 wrote to memory of 3040	1460	powershell.exe	57
PID 1800 wrote to memory of 3080	1800	cmd.exe	98
PID 1800 wrote to memory of 3080	1800	cmd.exe	98
PID 1800 wrote to memory of 3080	1800	cmd.exe	98
PID 1800 wrote to memory of 3080	1800	cmd.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Information.xlsb"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SYSTEM32\regsvr32.exe
    regsvr32 -s C:\ProgramData\Dori.ocx
    3⤵
    - Process spawned unexpected child process
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\SysWOW64\regsvr32.exe
      -s C:\ProgramData\Dori.ocx
      4⤵
      Loads dropped DLL
      PID:644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btyibkn2\btyibkn2.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C5E.tmp" "c:\Users\Admin\AppData\Local\Temp\btyibkn2\CSC15F867EB6A1C4A98AA499F9BA5721F7.TMP"
        7⤵
        
        PID:3804
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3uxnskv\t3uxnskv.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D19.tmp" "c:\Users\Admin\AppData\Local\Temp\t3uxnskv\CSCA1809FBDE8B8427D903D5E85B3BAFD32.TMP"
        7⤵
        
        PID:616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\ProgramData\Dori.ocx"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1348 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-5-0x0000000003400000-0x0000000003412000-memory.dmp

Filesize
72KB

Download
memory/1048-0-0x00007FFEA3F70000-0x00007FFEA45A7000-memory.dmp

Filesize
6.2MB

Download
memory/1460-33-0x0000026B427C0000-0x0000026B427D8000-memory.dmp

Filesize
96KB

Download
memory/1460-15-0x0000026B42640000-0x0000026B42641000-memory.dmp

Filesize
4KB

Download
memory/1460-31-0x0000026B425F0000-0x0000026B425F1000-memory.dmp

Filesize
4KB

Download
memory/1460-14-0x0000026B42370000-0x0000026B42371000-memory.dmp

Filesize
4KB

Download
memory/1460-23-0x0000026B425E0000-0x0000026B425E1000-memory.dmp

Filesize
4KB

Download
memory/1460-13-0x00007FFE9AE20000-0x00007FFE9B80C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-34-0x000001F8480C0000-0x000001F8480D8000-memory.dmp

Filesize
96KB

Download