Analysis
-
max time kernel
64s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-11-2020 22:49
Static task
static1
Behavioral task
behavioral1
Sample
sample.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sample.xls
Resource
win10v20201028
General
-
Target
sample.xls
-
Size
101KB
-
MD5
736e81cce9c84c0f3de65ed475bde501
-
SHA1
781ee5c6fd1293059ef9295be072777bc9d192a1
-
SHA256
ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc
-
SHA512
5fe2317508c921e38fb65722cd36ca5cd1c3ebb03c0cf27d9311d51126edfa16d09845cb4819a4005061167953bce6cca288d13659859813fc03882e88bc382a
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1704 1876 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1904 1876 rundll32.exe EXCEL.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1876 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEpid process 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1876 wrote to memory of 1704 1876 EXCEL.EXE certutil.exe PID 1876 wrote to memory of 1704 1876 EXCEL.EXE certutil.exe PID 1876 wrote to memory of 1704 1876 EXCEL.EXE certutil.exe PID 1876 wrote to memory of 1704 1876 EXCEL.EXE certutil.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe PID 1876 wrote to memory of 1904 1876 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\sample.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\e2.txt C:\Users\Public\e2.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\e2.dll,DD2⤵
- Process spawned unexpected child process
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
C:\Users\Public\e2.txtMD5
7bab932b5f15952e687f504431da31ab
SHA175376e29e7647134d11d2adeaddb1f1c05f0a530
SHA25669b223e94dff3129220f372162212277ef8903128a32bdb36aed183c4534b1e8
SHA512fcc52d135cc50aa9e608016a28583c829370c4508a854ebecf67b7819bc032965326061ebc64757236540c01bc858900423c1f0c7906b11b1e845785d4cd9e82
-
\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
memory/1504-1-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB
-
memory/1704-3-0x0000000000000000-mapping.dmp
-
memory/1876-0-0x0000000000483000-0x0000000000490000-memory.dmpFilesize
52KB
-
memory/1876-2-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/1904-5-0x0000000000000000-mapping.dmp