ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc

General

Target

sample.xls
Size

101KB
MD5

736e81cce9c84c0f3de65ed475bde501
SHA1

781ee5c6fd1293059ef9295be072777bc9d192a1
SHA256

ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc
SHA512

5fe2317508c921e38fb65722cd36ca5cd1c3ebb03c0cf27d9311d51126edfa16d09845cb4819a4005061167953bce6cca288d13659859813fc03882e88bc382a

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2092	912	certutil.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3412	912	rundll32.exe	EXCEL.EXE

Blacklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

27 3980 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3980 rundll32.exe

flow	pid	process
27	3980	rundll32.exe

pid	process
3980	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

912 EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE
912	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EXCEL.EXErundll32.exe

description	pid	process	target process
PID 912 wrote to memory of 2092	912	EXCEL.EXE	certutil.exe
PID 912 wrote to memory of 2092	912	EXCEL.EXE	certutil.exe
PID 912 wrote to memory of 3412	912	EXCEL.EXE	rundll32.exe
PID 912 wrote to memory of 3412	912	EXCEL.EXE	rundll32.exe
PID 3412 wrote to memory of 3980	3412	rundll32.exe	rundll32.exe
PID 3412 wrote to memory of 3980	3412	rundll32.exe	rundll32.exe
PID 3412 wrote to memory of 3980	3412	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sample.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\e2.txt C:\Users\Public\e2.dll
2⤵
- Process spawned unexpected child process
PID:2092

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\e2.dll,DD
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\e2.dll,DD
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\e2.dll
MD5
9c2eccb3e9672e47327b6c829021d0d4

SHA1
819f972ef5dc6685c4f5a96f0b5c14d9b7010490

SHA256
b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288

SHA512
49c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220

Download Submit
C:\Users\Public\e2.txt
MD5
7bab932b5f15952e687f504431da31ab

SHA1
75376e29e7647134d11d2adeaddb1f1c05f0a530

SHA256
69b223e94dff3129220f372162212277ef8903128a32bdb36aed183c4534b1e8

SHA512
fcc52d135cc50aa9e608016a28583c829370c4508a854ebecf67b7819bc032965326061ebc64757236540c01bc858900423c1f0c7906b11b1e845785d4cd9e82

Download Submit
\Users\Public\e2.dll
MD5
9c2eccb3e9672e47327b6c829021d0d4

SHA1
819f972ef5dc6685c4f5a96f0b5c14d9b7010490

SHA256
b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288

SHA512
49c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220

Download Submit
memory/912-0-0x00007FF8FE650000-0x00007FF8FEC87000-memory.dmp

Filesize
6.2MB

Download
memory/2092-3-0x0000000000000000-mapping.dmp

Download
memory/3412-5-0x0000000000000000-mapping.dmp

Download
memory/3980-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads