Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 16:02
Static task
static1
Behavioral task
behavioral1
Sample
document-1480463293.xls
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
document-1480463293.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
document-1480463293.xls
-
Size
331KB
-
MD5
fd47a096642b5b9dffde188ee309410e
-
SHA1
47f56aaa48a5c10e8f3c4cd9d8f47893a265aa62
-
SHA256
56b38cfcd74d14974f8db0753e06fb0a509b7565a099a85d70f02b70079c1ff2
-
SHA512
eb743c8364857f65441dc993e9df0a7851751f892c2e768f51bb4f59280f8da482a86f4a6347f42a5b679724a772b79fb34ff4d89a0642f63fd1b284a8d5381f
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 564 868 regsvr32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 868 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe PID 868 wrote to memory of 564 868 EXCEL.EXE regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1480463293.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll2⤵
- Process spawned unexpected child process