Analysis
-
max time kernel
72s -
max time network
21s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 16:18
Behavioral task
behavioral1
Sample
586bd4e1f5f41569b260ce6cc6b5243bee2209c35915d1a3050cf4196c6133eb.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
586bd4e1f5f41569b260ce6cc6b5243bee2209c35915d1a3050cf4196c6133eb.xls
Resource
win10v20201028
General
-
Target
586bd4e1f5f41569b260ce6cc6b5243bee2209c35915d1a3050cf4196c6133eb.xls
-
Size
54KB
-
MD5
08037f2bf6b8fe9ae8c245903af45729
-
SHA1
2836aa101a02a284c6df9ed17bd092f25c34f80f
-
SHA256
586bd4e1f5f41569b260ce6cc6b5243bee2209c35915d1a3050cf4196c6133eb
-
SHA512
2e0ffec3933f66b623e2eded690497115f251036d282dc915721b61175164eeb0573a1c4706b1f84453c9286ff1b8c3f7a1756fdd41d532dcf8e9dc24c22dc1e
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1616 1844 rundll32.exe EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1844 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1844 EXCEL.EXE 1844 EXCEL.EXE 1844 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe PID 1844 wrote to memory of 1616 1844 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\586bd4e1f5f41569b260ce6cc6b5243bee2209c35915d1a3050cf4196c6133eb.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer2⤵
- Process spawned unexpected child process