document-1460277780.xls
General
Target
Filesize
Completed
document-1460277780.xls
331KB
26-11-2020 16:23
Score
10
/10
MD5
SHA1
SHA256
8daf15bc79db4badf16cb6877da759af
433b4aef1f346912d7243c708a6453371cee5dbe
ee19fb53c556fbd204d6828e579fe519bf7419bb3d917aadc25291f86f74e573
Malware Config
Signatures 6
Filter: none
Defense Evasion
Discovery
-
Process spawned unexpected child processregsvr32.exe
Description
This typically indicates the parent process was compromised via an exploit or macro.
Reported IOCs
description pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 756 1204 regsvr32.exe EXCEL.EXE -
Enumerates system info in registryEXCEL.EXE
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies Internet Explorer settingsEXCEL.EXE
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListenerEXCEL.EXE
Reported IOCs
pid process 1204 EXCEL.EXE -
Suspicious use of SetWindowsHookExEXCEL.EXE
Reported IOCs
pid process 1204 EXCEL.EXE 1204 EXCEL.EXE 1204 EXCEL.EXE -
Suspicious use of WriteProcessMemoryEXCEL.EXE
Reported IOCs
description pid process target process PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe PID 1204 wrote to memory of 756 1204 EXCEL.EXE regsvr32.exe
Processes 2
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXEPID:1204"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1460277780.xlsEnumerates system info in registryModifies Internet Explorer settingsSuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exePID:756regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dllProcess spawned unexpected child process
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/756-3-0x0000000000000000-mapping.dmp
-
memory/1240-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmp
Title
Loading Data