Analysis
-
max time kernel
137s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 16:41
Static task
static1
Behavioral task
behavioral1
Sample
Calculation-1905798087-11202020.xls
Resource
win7v20201028
General
-
Target
Calculation-1905798087-11202020.xls
-
Size
61KB
-
MD5
d2ccb220ebd1726027a94b8e55f7ea57
-
SHA1
8863bcc3dce81b2c0fa34c9d5c25bad443159597
-
SHA256
89ef9b418bfd698c45ec3caac3067d0fb155118de909362afe9dd811f41094ec
-
SHA512
23964e20b805c840877fd8e4c9f340971f9ea6b7db4d0237590dded6d83753bef77e31f7f2b8398eaeee800ca21f3ead5fc49f45e26d7d349e23a596fff74773
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1164 4796 rundll32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\AutoCadest\AutoCadest2\Fiksat.dll cryptone \AutoCadest\AutoCadest2\Fiksat.dll cryptone -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1300 rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4796 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1300 rundll32.exe 1300 rundll32.exe 1300 rundll32.exe 1300 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1300 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE 4796 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exeexplorer.exedescription pid process target process PID 4796 wrote to memory of 1164 4796 EXCEL.EXE rundll32.exe PID 4796 wrote to memory of 1164 4796 EXCEL.EXE rundll32.exe PID 1164 wrote to memory of 1300 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 1300 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 1300 1164 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1680 1300 rundll32.exe explorer.exe PID 1300 wrote to memory of 1680 1300 rundll32.exe explorer.exe PID 1300 wrote to memory of 1680 1300 rundll32.exe explorer.exe PID 1300 wrote to memory of 1680 1300 rundll32.exe explorer.exe PID 1300 wrote to memory of 1680 1300 rundll32.exe explorer.exe PID 1680 wrote to memory of 1872 1680 explorer.exe schtasks.exe PID 1680 wrote to memory of 1872 1680 explorer.exe schtasks.exe PID 1680 wrote to memory of 1872 1680 explorer.exe schtasks.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Calculation-1905798087-11202020.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ggyusnix /tr "regsvr32.exe -s \"\"" /SC ONCE /Z /ST 16:40 /ET 16:525⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s ""1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AutoCadest\AutoCadest2\Fiksat.dllMD5
9766e6204f4897e91a9a08a09b6d6bb7
SHA14f2d4eb4a0bc5ff226b86e41a39b96bb3726f92e
SHA256beaa861d04b644792389a4bd6cc2f33d51be50202fa5cbb1d37beb38daed6161
SHA5126ab88f804165947d8e8fecdd3338727e60645d4d45c46e73a27749e9df04797612590c4130db96193ce760350b79cfb462a5ba7b3428b9297ac150935cd96d7a
-
\AutoCadest\AutoCadest2\Fiksat.dllMD5
9766e6204f4897e91a9a08a09b6d6bb7
SHA14f2d4eb4a0bc5ff226b86e41a39b96bb3726f92e
SHA256beaa861d04b644792389a4bd6cc2f33d51be50202fa5cbb1d37beb38daed6161
SHA5126ab88f804165947d8e8fecdd3338727e60645d4d45c46e73a27749e9df04797612590c4130db96193ce760350b79cfb462a5ba7b3428b9297ac150935cd96d7a
-
memory/1164-1-0x0000000000000000-mapping.dmp
-
memory/1300-3-0x0000000000000000-mapping.dmp
-
memory/1300-5-0x00000000008C0000-0x00000000008E0000-memory.dmpFilesize
128KB
-
memory/1680-6-0x0000000000000000-mapping.dmp
-
memory/1680-8-0x0000000000320000-0x0000000000340000-memory.dmpFilesize
128KB
-
memory/1872-7-0x0000000000000000-mapping.dmp
-
memory/4796-0-0x00007FFA613D0000-0x00007FFA61A07000-memory.dmpFilesize
6.2MB