document-1480463293.xls

General
Target

document-1480463293.xls

Filesize

331KB

Completed

26-11-2020 16:21

Score
10 /10
MD5

fd47a096642b5b9dffde188ee309410e

SHA1

47f56aaa48a5c10e8f3c4cd9d8f47893a265aa62

SHA256

56b38cfcd74d14974f8db0753e06fb0a509b7565a099a85d70f02b70079c1ff2

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process564868regsvr32.exeEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    868EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    868EXCEL.EXE
    868EXCEL.EXE
    868EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
    PID 868 wrote to memory of 564868EXCEL.EXEregsvr32.exe
Processes 2
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1480463293.xls
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
      Process spawned unexpected child process
      PID:564
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/564-3-0x0000000000000000-mapping.dmp

                      • memory/1164-2-0x000007FEF7160000-0x000007FEF73DA000-memory.dmp