Analysis
-
max time kernel
139s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 14:08
Behavioral task
behavioral1
Sample
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
Resource
win10v20201028
General
-
Target
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls
-
Size
142KB
-
MD5
5f189133074a059eee84971a0eddd769
-
SHA1
7627c5fe8a7503805cc24d210e16118ab9be0bce
-
SHA256
569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127
-
SHA512
9dc2e1746941bfeb65d0c63c12a478e8905c236b44ca9e22a9edee4bbe361f7f7dd22eff5a771721058a9200e1a1012a86288313059f6bbf271502602c89d9fd
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3516 636 certutil.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3148 636 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 28 2180 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2180 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 636 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE 636 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 636 wrote to memory of 3516 636 EXCEL.EXE certutil.exe PID 636 wrote to memory of 3516 636 EXCEL.EXE certutil.exe PID 636 wrote to memory of 3148 636 EXCEL.EXE rundll32.exe PID 636 wrote to memory of 3148 636 EXCEL.EXE rundll32.exe PID 3148 wrote to memory of 2180 3148 rundll32.exe rundll32.exe PID 3148 wrote to memory of 2180 3148 rundll32.exe rundll32.exe PID 3148 wrote to memory of 2180 3148 rundll32.exe rundll32.exe PID 2180 wrote to memory of 3944 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 3944 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 3944 2180 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\569d5acb6b3ef16b4cfaf7775c73e26d6ae6b969eb6ba06b361899bec0567127.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\289.txt C:\Users\Public\289.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\289.dll,D2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\289.dll,D3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\ProgramData\jdsg\jdsg.dll,DllRegisterServer4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\289.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
C:\Users\Public\289.txtMD5
d816b57518b2ce39755a917de284ef16
SHA101d319ae2fab68e81822f959d85741e1503279d0
SHA256c5279825f8a846882f1d141ae46b2b7d40fcce2ae1ddf0a1ed833c72a02b07bf
SHA5128f822d318d66a3e5d61a78609b511ab3d91a2beffd81c13003a416673d6a18f8e42c237089480fd65f5e5631b7fc4b53afdff27ce962b69d056b0c4fcc1d9fec
-
\Users\Public\289.dllMD5
7bbde12b2e128d29ab32f2582a6144ed
SHA18321ee2c5049d7390e7c6c0d41d11a7aff812d2a
SHA256377a11f8de7bf17298a8f4b88f03d4441df1c02177f7e0b162b6f6143a38ea3b
SHA51290b75fc227726569438d1f620cbb7e0e06bf4f0f5014a32dae052349641633595dc6cbd2535bf48bbc29ec01ffbef60f17cb79023609975bca2a80c6a314b69c
-
memory/636-2-0x00007FFC33FF0000-0x00007FFC34627000-memory.dmpFilesize
6.2MB
-
memory/2180-7-0x0000000000000000-mapping.dmp
-
memory/3148-5-0x0000000000000000-mapping.dmp
-
memory/3516-3-0x0000000000000000-mapping.dmp
-
memory/3944-9-0x0000000000000000-mapping.dmp