Analysis
-
max time kernel
69s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 14:08
Behavioral task
behavioral1
Sample
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
Resource
win10v20201028
General
-
Target
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
-
Size
142KB
-
MD5
5f189133074a059eee84971a0eddd769
-
SHA1
7627c5fe8a7503805cc24d210e16118ab9be0bce
-
SHA256
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127
-
SHA512
9dc2e1746941bfeb65d0c63c12a478e8905c236b44ca9e22a9edee4bbe361f7f7dd22eff5a771721058a9200e1a1012a86288313059f6bbf271502602c89d9fd
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1188 1584 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 576 1584 rundll32.exe EXCEL.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 576 rundll32.exe 576 rundll32.exe 576 rundll32.exe 576 rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1584 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1584 wrote to memory of 1188 1584 EXCEL.EXE certutil.exe PID 1584 wrote to memory of 1188 1584 EXCEL.EXE certutil.exe PID 1584 wrote to memory of 1188 1584 EXCEL.EXE certutil.exe PID 1584 wrote to memory of 1188 1584 EXCEL.EXE certutil.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe PID 1584 wrote to memory of 576 1584 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\155.txt C:\Users\Public\155.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\155.dll,D2⤵
- Process spawned unexpected child process
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\155.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
C:\Users\Public\155.txtMD5
d816b57518b2ce39755a917de284ef16
SHA101d319ae2fab68e81822f959d85741e1503279d0
SHA256c5279825f8a846882f1d141ae46b2b7d40fcce2ae1ddf0a1ed833c72a02b07bf
SHA5128f822d318d66a3e5d61a78609b511ab3d91a2beffd81c13003a416673d6a18f8e42c237089480fd65f5e5631b7fc4b53afdff27ce962b69d056b0c4fcc1d9fec
-
\Users\Public\155.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
\Users\Public\155.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
\Users\Public\155.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
\Users\Public\155.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
memory/576-26-0x0000000000000000-mapping.dmp
-
memory/1188-23-0x0000000000000000-mapping.dmp
-
memory/1584-10-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1584-20-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1584-15-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1584-2-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1584-8-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1584-5-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1584-3-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2028-24-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmpFilesize
2.5MB