569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127

General

Target

569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
Size

142KB
MD5

5f189133074a059eee84971a0eddd769
SHA1

7627c5fe8a7503805cc24d210e16118ab9be0bce
SHA256

569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127
SHA512

9dc2e1746941bfeb65d0c63c12a478e8905c236b44ca9e22a9edee4bbe361f7f7dd22eff5a771721058a9200e1a1012a86288313059f6bbf271502602c89d9fd

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1188	1584	certutil.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	576	1584	rundll32.exe	EXCEL.EXE

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

576 rundll32.exe
576 rundll32.exe
576 rundll32.exe
576 rundll32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
576	rundll32.exe
576	rundll32.exe
576	rundll32.exe
576	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1584 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1584 EXCEL.EXE
1584 EXCEL.EXE
1584 EXCEL.EXE
1584 EXCEL.EXE
1584 EXCEL.EXE

pid	process
1584	EXCEL.EXE

pid	process
1584	EXCEL.EXE
1584	EXCEL.EXE
1584	EXCEL.EXE
1584	EXCEL.EXE
1584	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1584 wrote to memory of 1188	1584	EXCEL.EXE	certutil.exe
PID 1584 wrote to memory of 1188	1584	EXCEL.EXE	certutil.exe
PID 1584 wrote to memory of 1188	1584	EXCEL.EXE	certutil.exe
PID 1584 wrote to memory of 1188	1584	EXCEL.EXE	certutil.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe
PID 1584 wrote to memory of 576	1584	EXCEL.EXE	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\155.txt C:\Users\Public\155.dll
2⤵
- Process spawned unexpected child process
PID:1188

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\155.dll,D
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\155.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
C:\Users\Public\155.txt
MD5
d816b57518b2ce39755a917de284ef16

SHA1
01d319ae2fab68e81822f959d85741e1503279d0

SHA256
c5279825f8a846882f1d141ae46b2b7d40fcce2ae1ddf0a1ed833c72a02b07bf

SHA512
8f822d318d66a3e5d61a78609b511ab3d91a2beffd81c13003a416673d6a18f8e42c237089480fd65f5e5631b7fc4b53afdff27ce962b69d056b0c4fcc1d9fec

Download Submit
\Users\Public\155.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
\Users\Public\155.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
\Users\Public\155.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
\Users\Public\155.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
memory/576-26-0x0000000000000000-mapping.dmp

Download
memory/1188-23-0x0000000000000000-mapping.dmp

Download
memory/1584-10-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1584-20-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1584-15-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1584-2-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1584-8-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1584-5-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1584-3-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2028-24-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads