document-1460277780.xls

General
Target

document-1460277780.xls

Filesize

331KB

Completed

26-11-2020 16:23

Score
10 /10
MD5

8daf15bc79db4badf16cb6877da759af

SHA1

433b4aef1f346912d7243c708a6453371cee5dbe

SHA256

ee19fb53c556fbd204d6828e579fe519bf7419bb3d917aadc25291f86f74e573

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process7561204regsvr32.exeEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1204EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1204EXCEL.EXE
    1204EXCEL.EXE
    1204EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
    PID 1204 wrote to memory of 7561204EXCEL.EXEregsvr32.exe
Processes 2
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1460277780.xls
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
      Process spawned unexpected child process
      PID:756
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/756-3-0x0000000000000000-mapping.dmp

                      • memory/1240-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmp