Analysis
-
max time kernel
70s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 07:15
Behavioral task
behavioral1
Sample
48005.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
48005.xls
Resource
win10v20201028
General
-
Target
48005.xls
-
Size
80KB
-
MD5
e0fcfaac8d385a1bcab28b834b9af2a0
-
SHA1
fcbbbb624a8903e4d4e69081fc1f1ccbd0958405
-
SHA256
aba105fe8ad27d96d744c4f5d2387feef994420bc55db7df3307c33cff080e30
-
SHA512
a6514afec518f1795b24a1b98e1d75ded765a46a5671c3ec3d528849ee6cf57c0fa98c4264a67cc9c029be6a445d7fc6c879d07619b70a7f9d8a0626a4f84d90
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1080 1640 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 332 1640 rundll32.exe EXCEL.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1640 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 1640 EXCEL.EXE 1640 EXCEL.EXE 1640 EXCEL.EXE 1640 EXCEL.EXE 1640 EXCEL.EXE 1640 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1640 wrote to memory of 1080 1640 EXCEL.EXE certutil.exe PID 1640 wrote to memory of 1080 1640 EXCEL.EXE certutil.exe PID 1640 wrote to memory of 1080 1640 EXCEL.EXE certutil.exe PID 1640 wrote to memory of 1080 1640 EXCEL.EXE certutil.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe PID 1640 wrote to memory of 332 1640 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\48005.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decodehex C:\Users\Public\3094.txt C:\Users\Public\3094.dll2⤵
- Process spawned unexpected child process
PID:1080 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\3094.dll,D2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\3094.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
C:\Users\Public\3094.txtMD5
652620d75f7d14f0b5fb7adaef835c11
SHA1be88d1a4be7db5170f26cb3068783cb78ad92cf4
SHA256c8f9a6c0d639d9dbe1c432ca1415fa1129f7c1cda3e8febb4dc961763039a774
SHA5127ee326b9621285e412811cd01e829e789a89d8916cd39bb45eed92b82615e8595e704c30cfc674778f929249b387a510e0996c105e81eec56670871ca9da7f79
-
\Users\Public\3094.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
\Users\Public\3094.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
\Users\Public\3094.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
\Users\Public\3094.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
memory/332-5-0x0000000000000000-mapping.dmp
-
memory/1080-3-0x0000000000000000-mapping.dmp
-
memory/1616-2-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB