569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127

General

Target

569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
Size

142KB
MD5

5f189133074a059eee84971a0eddd769
SHA1

7627c5fe8a7503805cc24d210e16118ab9be0bce
SHA256

569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127
SHA512

9dc2e1746941bfeb65d0c63c12a478e8905c236b44ca9e22a9edee4bbe361f7f7dd22eff5a771721058a9200e1a1012a86288313059f6bbf271502602c89d9fd

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3516	636	certutil.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3148	636	rundll32.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

28 2180 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2180 rundll32.exe

flow	pid	process
28	2180	rundll32.exe

pid	process
2180	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

636 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE
636	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 636 wrote to memory of 3516	636	EXCEL.EXE	certutil.exe
PID 636 wrote to memory of 3516	636	EXCEL.EXE	certutil.exe
PID 636 wrote to memory of 3148	636	EXCEL.EXE	rundll32.exe
PID 636 wrote to memory of 3148	636	EXCEL.EXE	rundll32.exe
PID 3148 wrote to memory of 2180	3148	rundll32.exe	rundll32.exe
PID 3148 wrote to memory of 2180	3148	rundll32.exe	rundll32.exe
PID 3148 wrote to memory of 2180	3148	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3944	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3944	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3944	2180	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\289.txt C:\Users\Public\289.dll
2⤵
- Process spawned unexpected child process
PID:3516

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\289.dll,D
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\289.dll,D
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\rundll32.exe
C:\ProgramData\jdsg\jdsg.dll,DllRegisterServer
4⤵
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\289.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
C:\Users\Public\289.txt
MD5
d816b57518b2ce39755a917de284ef16

SHA1
01d319ae2fab68e81822f959d85741e1503279d0

SHA256
c5279825f8a846882f1d141ae46b2b7d40fcce2ae1ddf0a1ed833c72a02b07bf

SHA512
8f822d318d66a3e5d61a78609b511ab3d91a2beffd81c13003a416673d6a18f8e42c237089480fd65f5e5631b7fc4b53afdff27ce962b69d056b0c4fcc1d9fec

Download Submit
\Users\Public\289.dll
MD5
7bbde12b2e128d29ab32f2582a6144ed

SHA1
8321ee2c5049d7390e7c6c0d41d11a7aff812d2a

SHA256
377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b

SHA512
90b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c

Download Submit
memory/636-2-0x00007FFC33FF0000-0x00007FFC34627000-memory.dmp

Filesize
6.2MB

Download
memory/2180-7-0x0000000000000000-mapping.dmp

Download
memory/3148-5-0x0000000000000000-mapping.dmp

Download
memory/3516-3-0x0000000000000000-mapping.dmp

Download
memory/3944-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads