document-1480463293.xls
General
Target
Filesize
Completed
document-1480463293.xls
331KB
26-11-2020 16:21
Score
10
/10
MD5
SHA1
SHA256
fd47a096642b5b9dffde188ee309410e
47f56aaa48a5c10e8f3c4cd9d8f47893a265aa62
56b38cfcd74d14974f8db0753e06fb0a509b7565a099a85d70f02b70079c1ff2
Malware Config
Signatures 6
Filter: none
Defense Evasion
Discovery
-
Process spawned unexpected child processregsvr32.exe
Description
This typically indicates the parent process was compromised via an exploit or macro.
Reported IOCs
description pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 564 868 regsvr32.exe EXCEL.EXE -
Enumerates system info in registryEXCEL.EXE
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies Internet Explorer settingsEXCEL.EXE
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListenerEXCEL.EXE
Reported IOCs
pid process 868 EXCEL.EXE -
Suspicious use of SetWindowsHookExEXCEL.EXE
Reported IOCs
pid process 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE -
Suspicious use of WriteProcessMemoryEXCEL.EXE
Reported IOCs
description pid process target process PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe
Processes 2
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXEPID:868"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1480463293.xlsEnumerates system info in registryModifies Internet Explorer settingsSuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exePID:564regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dllProcess spawned unexpected child process
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/564-3-0x0000000000000000-mapping.dmp
-
memory/1164-2-0x000007FEF7160000-0x000007FEF73DA000-memory.dmp
Title
Loading Data