Analysis
-
max time kernel
143s -
max time network
49s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 16:41
Static task
static1
Behavioral task
behavioral1
Sample
Calculation-1905798087-11202020.xls
Resource
win7v20201028
General
-
Target
Calculation-1905798087-11202020.xls
-
Size
61KB
-
MD5
d2ccb220ebd1726027a94b8e55f7ea57
-
SHA1
8863bcc3dce81b2c0fa34c9d5c25bad443159597
-
SHA256
89ef9b418bfd698c45ec3caac3067d0fb155118de909362afe9dd811f41094ec
-
SHA512
23964e20b805c840877fd8e4c9f340971f9ea6b7db4d0237590dded6d83753bef77e31f7f2b8398eaeee800ca21f3ead5fc49f45e26d7d349e23a596fff74773
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1708 1840 rundll32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1728 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1708 rundll32.exe 1708 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1708 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE 1840 EXCEL.EXE 1840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1840 wrote to memory of 1708 1840 EXCEL.EXE rundll32.exe PID 1708 wrote to memory of 1036 1708 rundll32.exe explorer.exe PID 1708 wrote to memory of 1036 1708 rundll32.exe explorer.exe PID 1708 wrote to memory of 1036 1708 rundll32.exe explorer.exe PID 1708 wrote to memory of 1036 1708 rundll32.exe explorer.exe PID 1708 wrote to memory of 1036 1708 rundll32.exe explorer.exe PID 1708 wrote to memory of 1036 1708 rundll32.exe explorer.exe PID 1036 wrote to memory of 980 1036 explorer.exe schtasks.exe PID 1036 wrote to memory of 980 1036 explorer.exe schtasks.exe PID 1036 wrote to memory of 980 1036 explorer.exe schtasks.exe PID 1036 wrote to memory of 980 1036 explorer.exe schtasks.exe PID 1152 wrote to memory of 1536 1152 taskeng.exe regsvr32.exe PID 1152 wrote to memory of 1536 1152 taskeng.exe regsvr32.exe PID 1152 wrote to memory of 1536 1152 taskeng.exe regsvr32.exe PID 1152 wrote to memory of 1536 1152 taskeng.exe regsvr32.exe PID 1152 wrote to memory of 1536 1152 taskeng.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1728 1536 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Calculation-1905798087-11202020.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tpzckdmebs /tr "regsvr32.exe -s \"C:\AutoCadest\AutoCadest2\Fiksat.dll\"" /SC ONCE /Z /ST 17:47 /ET 17:594⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {DF85FDCC-DD66-4DD0-A4DC-22A139B830CE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\AutoCadest\AutoCadest2\Fiksat.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\AutoCadest\AutoCadest2\Fiksat.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
f5d343037e71550ebb729dfd806a31ac
SHA19031d3540d785bf863541b8569e7ebe870643f6d
SHA2565d7f7ce899c7e8512820f92666d805bc2614ca0ec16113d13e994417b2d4aad6
SHA512683c300b9c606daff7a20fccd9f1d3b6ba11efd21e44fde998b00713c64b58d047c0620cc389c9ea1aa70e76dfe13c0403c25e48d709069a46abc80bdae5aa96
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
a6da7e4343bdf4bf26f736c813aae09e
SHA132a62c438d86c6c8ceac99c81745a3a03387cae9
SHA2567d0d4aeae3c75b3e47d58a819da26ef58069df925d7dd2e75d94abe910f0e368
SHA5122468ec16cdb93cfa8bc5cb79680f4c33cdbce6f169cfdec3523260492f6fba5860ad1accc278487c9bc680d438c4898f85e3ae9cc03d4f25921a5dd53307b1cf
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
f5d343037e71550ebb729dfd806a31ac
SHA19031d3540d785bf863541b8569e7ebe870643f6d
SHA2565d7f7ce899c7e8512820f92666d805bc2614ca0ec16113d13e994417b2d4aad6
SHA512683c300b9c606daff7a20fccd9f1d3b6ba11efd21e44fde998b00713c64b58d047c0620cc389c9ea1aa70e76dfe13c0403c25e48d709069a46abc80bdae5aa96
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
a6da7e4343bdf4bf26f736c813aae09e
SHA132a62c438d86c6c8ceac99c81745a3a03387cae9
SHA2567d0d4aeae3c75b3e47d58a819da26ef58069df925d7dd2e75d94abe910f0e368
SHA5122468ec16cdb93cfa8bc5cb79680f4c33cdbce6f169cfdec3523260492f6fba5860ad1accc278487c9bc680d438c4898f85e3ae9cc03d4f25921a5dd53307b1cf
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
a6da7e4343bdf4bf26f736c813aae09e
SHA132a62c438d86c6c8ceac99c81745a3a03387cae9
SHA2567d0d4aeae3c75b3e47d58a819da26ef58069df925d7dd2e75d94abe910f0e368
SHA5122468ec16cdb93cfa8bc5cb79680f4c33cdbce6f169cfdec3523260492f6fba5860ad1accc278487c9bc680d438c4898f85e3ae9cc03d4f25921a5dd53307b1cf
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
a6da7e4343bdf4bf26f736c813aae09e
SHA132a62c438d86c6c8ceac99c81745a3a03387cae9
SHA2567d0d4aeae3c75b3e47d58a819da26ef58069df925d7dd2e75d94abe910f0e368
SHA5122468ec16cdb93cfa8bc5cb79680f4c33cdbce6f169cfdec3523260492f6fba5860ad1accc278487c9bc680d438c4898f85e3ae9cc03d4f25921a5dd53307b1cf
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
a6da7e4343bdf4bf26f736c813aae09e
SHA132a62c438d86c6c8ceac99c81745a3a03387cae9
SHA2567d0d4aeae3c75b3e47d58a819da26ef58069df925d7dd2e75d94abe910f0e368
SHA5122468ec16cdb93cfa8bc5cb79680f4c33cdbce6f169cfdec3523260492f6fba5860ad1accc278487c9bc680d438c4898f85e3ae9cc03d4f25921a5dd53307b1cf
-
memory/980-11-0x0000000000000000-mapping.dmp
-
memory/1036-7-0x00000000000A0000-0x00000000000A2000-memory.dmpFilesize
8KB
-
memory/1036-9-0x0000000000000000-mapping.dmp
-
memory/1036-12-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1536-13-0x0000000000000000-mapping.dmp
-
memory/1708-10-0x0000000000180000-0x00000000001A0000-memory.dmpFilesize
128KB
-
memory/1708-8-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB
-
memory/1708-1-0x0000000000000000-mapping.dmp
-
memory/1728-15-0x0000000000000000-mapping.dmp
-
memory/1992-0-0x000007FEF6670000-0x000007FEF68EA000-memory.dmpFilesize
2.5MB