Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 17:46
Static task
static1
Behavioral task
behavioral1
Sample
Calculation-1421113288-11202020.xls
Resource
win7v20201028
General
-
Target
Calculation-1421113288-11202020.xls
-
Size
61KB
-
MD5
026e352321bacf5fb2cc6eb4002b26ae
-
SHA1
a27c9d892aeccb3759fbf71d21404befabbdd431
-
SHA256
3a8ac2f64fd8b15e4f88db0c54add4fd61e5c17dd5515ada898006169e2f99f2
-
SHA512
c488011641eeea64e4aa2458631b85ff7a855b89f34153f3f827d249d3022ac198d2a2a295bc210693777acd58349a77c0fe5483e9cd167d7de637c2c8dfd8fc
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1016 1880 rundll32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1016 rundll32.exe 1016 rundll32.exe 1016 rundll32.exe 1016 rundll32.exe 1604 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1880 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1016 rundll32.exe 1016 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1016 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1880 EXCEL.EXE 1880 EXCEL.EXE 1880 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1880 wrote to memory of 1016 1880 EXCEL.EXE rundll32.exe PID 1016 wrote to memory of 1912 1016 rundll32.exe explorer.exe PID 1016 wrote to memory of 1912 1016 rundll32.exe explorer.exe PID 1016 wrote to memory of 1912 1016 rundll32.exe explorer.exe PID 1016 wrote to memory of 1912 1016 rundll32.exe explorer.exe PID 1016 wrote to memory of 1912 1016 rundll32.exe explorer.exe PID 1016 wrote to memory of 1912 1016 rundll32.exe explorer.exe PID 1912 wrote to memory of 1148 1912 explorer.exe schtasks.exe PID 1912 wrote to memory of 1148 1912 explorer.exe schtasks.exe PID 1912 wrote to memory of 1148 1912 explorer.exe schtasks.exe PID 1912 wrote to memory of 1148 1912 explorer.exe schtasks.exe PID 1028 wrote to memory of 1616 1028 taskeng.exe regsvr32.exe PID 1028 wrote to memory of 1616 1028 taskeng.exe regsvr32.exe PID 1028 wrote to memory of 1616 1028 taskeng.exe regsvr32.exe PID 1028 wrote to memory of 1616 1028 taskeng.exe regsvr32.exe PID 1028 wrote to memory of 1616 1028 taskeng.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe PID 1616 wrote to memory of 1604 1616 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Calculation-1421113288-11202020.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rklaovuj /tr "regsvr32.exe -s \"C:\AutoCadest\AutoCadest2\Fiksat.dll\"" /SC ONCE /Z /ST 20:34 /ET 20:464⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {5DA828A4-F8F3-49D8-8B25-77CD61B8436C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\AutoCadest\AutoCadest2\Fiksat.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\AutoCadest\AutoCadest2\Fiksat.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
6319f63c5db04ad54979b19df449f703
SHA13681b2bfae515ea1d6b9724d4e8ba14dfd53c95e
SHA2566eb8888a3edd79b8c6e98d15868d10acdc736dd220441cefe2436bddb0b24ac4
SHA51275398a91f8a9a44cc432f306259738c58ffd999473d354c3d07689a110c02449cd8d9561f7745a830eaecc4bef284c74727fdd02b418f3493ed169abfce885f5
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
0bf8973bea6d4e7a739fdb548d4a8a8a
SHA183e295a8e10b22ffae875ddd5fe1996544ca422a
SHA25613692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827
SHA5127ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
6319f63c5db04ad54979b19df449f703
SHA13681b2bfae515ea1d6b9724d4e8ba14dfd53c95e
SHA2566eb8888a3edd79b8c6e98d15868d10acdc736dd220441cefe2436bddb0b24ac4
SHA51275398a91f8a9a44cc432f306259738c58ffd999473d354c3d07689a110c02449cd8d9561f7745a830eaecc4bef284c74727fdd02b418f3493ed169abfce885f5
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
0bf8973bea6d4e7a739fdb548d4a8a8a
SHA183e295a8e10b22ffae875ddd5fe1996544ca422a
SHA25613692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827
SHA5127ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
0bf8973bea6d4e7a739fdb548d4a8a8a
SHA183e295a8e10b22ffae875ddd5fe1996544ca422a
SHA25613692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827
SHA5127ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
0bf8973bea6d4e7a739fdb548d4a8a8a
SHA183e295a8e10b22ffae875ddd5fe1996544ca422a
SHA25613692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827
SHA5127ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
0bf8973bea6d4e7a739fdb548d4a8a8a
SHA183e295a8e10b22ffae875ddd5fe1996544ca422a
SHA25613692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827
SHA5127ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba
-
memory/1016-8-0x0000000000180000-0x00000000001A0000-memory.dmpFilesize
128KB
-
memory/1016-10-0x0000000000140000-0x0000000000160000-memory.dmpFilesize
128KB
-
memory/1016-1-0x0000000000000000-mapping.dmp
-
memory/1148-11-0x0000000000000000-mapping.dmp
-
memory/1604-15-0x0000000000000000-mapping.dmp
-
memory/1616-13-0x0000000000000000-mapping.dmp
-
memory/1912-9-0x0000000000000000-mapping.dmp
-
memory/1912-12-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1912-7-0x00000000000A0000-0x00000000000A2000-memory.dmpFilesize
8KB
-
memory/2008-0-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmpFilesize
2.5MB