Analysis
-
max time kernel
135s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 22:49
Static task
static1
Behavioral task
behavioral1
Sample
sample.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sample.xls
Resource
win10v20201028
General
-
Target
sample.xls
-
Size
101KB
-
MD5
736e81cce9c84c0f3de65ed475bde501
-
SHA1
781ee5c6fd1293059ef9295be072777bc9d192a1
-
SHA256
ccfce06113edd99d25c935f5d8a503140e6b402adb4cf4909e158f9c84aef8bc
-
SHA512
5fe2317508c921e38fb65722cd36ca5cd1c3ebb03c0cf27d9311d51126edfa16d09845cb4819a4005061167953bce6cca288d13659859813fc03882e88bc382a
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2092 912 certutil.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3412 912 rundll32.exe EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 27 3980 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3980 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 912 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE 912 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 912 wrote to memory of 2092 912 EXCEL.EXE certutil.exe PID 912 wrote to memory of 2092 912 EXCEL.EXE certutil.exe PID 912 wrote to memory of 3412 912 EXCEL.EXE rundll32.exe PID 912 wrote to memory of 3412 912 EXCEL.EXE rundll32.exe PID 3412 wrote to memory of 3980 3412 rundll32.exe rundll32.exe PID 3412 wrote to memory of 3980 3412 rundll32.exe rundll32.exe PID 3412 wrote to memory of 3980 3412 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sample.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\e2.txt C:\Users\Public\e2.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\e2.dll,DD2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\e2.dll,DD3⤵
- Blacklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
C:\Users\Public\e2.txtMD5
7bab932b5f15952e687f504431da31ab
SHA175376e29e7647134d11d2adeaddb1f1c05f0a530
SHA25669b223e94dff3129220f372162212277ef8903128a32bdb36aed183c4534b1e8
SHA512fcc52d135cc50aa9e608016a28583c829370c4508a854ebecf67b7819bc032965326061ebc64757236540c01bc858900423c1f0c7906b11b1e845785d4cd9e82
-
\Users\Public\e2.dllMD5
9c2eccb3e9672e47327b6c829021d0d4
SHA1819f972ef5dc6685c4f5a96f0b5c14d9b7010490
SHA256b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288
SHA51249c607f460c4c35f5ad0959f637416125ebfbf3fd0c01b923f4983ca007ee0986ebc845bec027d690e7cc09772fc2c4688eaf49e1eeee29df5ba5019f5680220
-
memory/912-0-0x00007FF8FE650000-0x00007FF8FEC87000-memory.dmpFilesize
6.2MB
-
memory/2092-3-0x0000000000000000-mapping.dmp
-
memory/3412-5-0x0000000000000000-mapping.dmp
-
memory/3980-7-0x0000000000000000-mapping.dmp