Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 14:56
Static task
static1
Behavioral task
behavioral1
Sample
Calculation-438711349-11202020.xls
Resource
win7v20201028
General
-
Target
Calculation-438711349-11202020.xls
-
Size
62KB
-
MD5
182d899cffb334cede36bd37a5fc5730
-
SHA1
9f8745527a3fe95eaa6ce0f37088791c88e4d30f
-
SHA256
90d873d4a311bcaff6c522cadd137c382aff572144cd2cee4f1873ec851ca8d7
-
SHA512
aaebd74aafb0f457152fad1e80b2a15fbcdaf85464616e6621dacb039a50b822da7e583492da64aabda1a9cfcedf7450b16a8304862a801f29ca3b6f9bc2e6ee
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1460 336 rundll32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 576 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 336 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1460 rundll32.exe 1460 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1460 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 336 EXCEL.EXE 336 EXCEL.EXE 336 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 336 wrote to memory of 1460 336 EXCEL.EXE rundll32.exe PID 1460 wrote to memory of 928 1460 rundll32.exe explorer.exe PID 1460 wrote to memory of 928 1460 rundll32.exe explorer.exe PID 1460 wrote to memory of 928 1460 rundll32.exe explorer.exe PID 1460 wrote to memory of 928 1460 rundll32.exe explorer.exe PID 1460 wrote to memory of 928 1460 rundll32.exe explorer.exe PID 1460 wrote to memory of 928 1460 rundll32.exe explorer.exe PID 928 wrote to memory of 1264 928 explorer.exe schtasks.exe PID 928 wrote to memory of 1264 928 explorer.exe schtasks.exe PID 928 wrote to memory of 1264 928 explorer.exe schtasks.exe PID 928 wrote to memory of 1264 928 explorer.exe schtasks.exe PID 1560 wrote to memory of 1676 1560 taskeng.exe regsvr32.exe PID 1560 wrote to memory of 1676 1560 taskeng.exe regsvr32.exe PID 1560 wrote to memory of 1676 1560 taskeng.exe regsvr32.exe PID 1560 wrote to memory of 1676 1560 taskeng.exe regsvr32.exe PID 1560 wrote to memory of 1676 1560 taskeng.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 576 1676 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Calculation-438711349-11202020.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn binszvymkl /tr "regsvr32.exe -s \"C:\AutoCadest\AutoCadest2\Fiksat.dll\"" /SC ONCE /Z /ST 16:01 /ET 16:134⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {CDF8D331-50AF-4E31-B528-5DC875F2DBC2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\AutoCadest\AutoCadest2\Fiksat.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\AutoCadest\AutoCadest2\Fiksat.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
a4b16163e91557b97f4c4b3aa5a65370
SHA128f85dbb690645b8b5ddb3477284b9d6a634e0ee
SHA2561f1dcdd297bf791cc6f0e06bd23ce64fd99e78b40f0b5f8f896233fbc41427b0
SHA512efa5fb2f180c8b7c925bdc63aef5ea3ea10ac0563e8070a510af5579e233cc25aaa164ffd4bcb9908e1f5acd1e85994a4ebd8592058a073b173fee0a097277c3
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
d6c770067c83a56c438b156f35be5b12
SHA17ec8853fd5189f5f604fcca5898410231d3ba109
SHA256b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1
SHA512a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
a4b16163e91557b97f4c4b3aa5a65370
SHA128f85dbb690645b8b5ddb3477284b9d6a634e0ee
SHA2561f1dcdd297bf791cc6f0e06bd23ce64fd99e78b40f0b5f8f896233fbc41427b0
SHA512efa5fb2f180c8b7c925bdc63aef5ea3ea10ac0563e8070a510af5579e233cc25aaa164ffd4bcb9908e1f5acd1e85994a4ebd8592058a073b173fee0a097277c3
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
d6c770067c83a56c438b156f35be5b12
SHA17ec8853fd5189f5f604fcca5898410231d3ba109
SHA256b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1
SHA512a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
d6c770067c83a56c438b156f35be5b12
SHA17ec8853fd5189f5f604fcca5898410231d3ba109
SHA256b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1
SHA512a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
d6c770067c83a56c438b156f35be5b12
SHA17ec8853fd5189f5f604fcca5898410231d3ba109
SHA256b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1
SHA512a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
d6c770067c83a56c438b156f35be5b12
SHA17ec8853fd5189f5f604fcca5898410231d3ba109
SHA256b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1
SHA512a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916
-
memory/576-15-0x0000000000000000-mapping.dmp
-
memory/928-7-0x00000000000A0000-0x00000000000A2000-memory.dmpFilesize
8KB
-
memory/928-9-0x0000000000000000-mapping.dmp
-
memory/928-12-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1264-11-0x0000000000000000-mapping.dmp
-
memory/1460-10-0x0000000000120000-0x0000000000140000-memory.dmpFilesize
128KB
-
memory/1460-8-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB
-
memory/1460-1-0x0000000000000000-mapping.dmp
-
memory/1484-0-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmpFilesize
2.5MB
-
memory/1676-13-0x0000000000000000-mapping.dmp