Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 16:19
Behavioral task
behavioral1
Sample
Document_1495694596-Copy.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document_1495694596-Copy.xls
Resource
win10v20201028
General
-
Target
Document_1495694596-Copy.xls
-
Size
43KB
-
MD5
e758a4b1340fd50274edefd581cd8c52
-
SHA1
945f507232ddbe940e09ac69a4e8592aa55590ed
-
SHA256
4e2f37d4228e78faa1f34121ee934f58e1a9862ad6f183edf4c24e08cda20363
-
SHA512
3393143e4215b8cff172d7a4a79d6116667ebc0999ab3eea1656616375856a798e8b5caf4728deb4cae1ecef4e83405c145b8373dca6f101654470f525d4f269
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 924 596 rundll32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE 596 EXCEL.EXE 596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe PID 596 wrote to memory of 924 596 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document_1495694596-Copy.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\AppData\Kipofe.mmaallaauu,DllRegisterServer2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Kipofe.mmaallaauuMD5
9c5328e73595b60e313d71e41ee9634a
SHA1b3e2b75a8f80d0e28109a6b187b61fb990f17752
SHA2564c9a1498b1ab24080747d92d83367ffeb42512f38330064bf81ef21d0e658cc7
SHA5129a345ea4c1f323e5531738571e91f84a55279240462c02b459c8a27a83f062e71c95b4b00c2a7df2a86a1052654b36f8b43467c94dbac04fccf1428ea4cd1036
-
memory/924-3-0x0000000000000000-mapping.dmp
-
memory/1416-2-0x000007FEF6010000-0x000007FEF628A000-memory.dmpFilesize
2.5MB