Analysis
-
max time kernel
76s -
max time network
24s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-11-2020 15:39
Static task
static1
Behavioral task
behavioral1
Sample
document-1653237025.xls
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
document-1653237025.xls
-
Size
331KB
-
MD5
e8c8e7425cfc0445c36c65dabf09f357
-
SHA1
9b81a8b87a3db818664ca9ecae988210eec299b9
-
SHA256
71c010b8d619960937d1c174349bfcc22e8847459b466ad2e3ac9b5b7a5e4cbe
-
SHA512
bd1ada778a2cdadc04a8f9456d908a29e6b483358a138c76e35844345bacc46418bdb6bca51f2e8e3e52cf539ebb3b569729a2e668c3538da12ae22c6d472623
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1460 648 regsvr32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 648 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe PID 648 wrote to memory of 1460 648 EXCEL.EXE regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1653237025.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll2⤵
- Process spawned unexpected child process