Analysis
-
max time kernel
281s -
max time network
282s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 07:28
Behavioral task
behavioral1
Sample
maybeice.xlsb
Resource
win7v20201028
General
-
Target
maybeice.xlsb
-
Size
80KB
-
MD5
79f07a91462a30ffd08e5d5df0b818f4
-
SHA1
c257b63ed7184c9da9c59318f927a9c948d88261
-
SHA256
547477332bd0dde997b697e6f74110ff4af5b41ad0d71dee3d3f51d4c3db3bc5
-
SHA512
f87242140303ff78e38c642af7416deb078781af3864f7e52b5867f8a792437d48478d169ec291947290515d9d5ba92b8dd92821dcbbaa049e0b66f87ff322a2
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1948 1036 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1048 1036 rundll32.exe EXCEL.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1048 rundll32.exe 1048 rundll32.exe 1048 rundll32.exe 1048 rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1036 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1036 EXCEL.EXE 1036 EXCEL.EXE 1036 EXCEL.EXE 1036 EXCEL.EXE 1036 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1036 wrote to memory of 1948 1036 EXCEL.EXE certutil.exe PID 1036 wrote to memory of 1948 1036 EXCEL.EXE certutil.exe PID 1036 wrote to memory of 1948 1036 EXCEL.EXE certutil.exe PID 1036 wrote to memory of 1948 1036 EXCEL.EXE certutil.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe PID 1036 wrote to memory of 1048 1036 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\maybeice.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decodehex C:\Users\Public\2176.txt C:\Users\Public\2176.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\2176.dll,D2⤵
- Process spawned unexpected child process
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\2176.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
C:\Users\Public\2176.txtMD5
652620d75f7d14f0b5fb7adaef835c11
SHA1be88d1a4be7db5170f26cb3068783cb78ad92cf4
SHA256c8f9a6c0d639d9dbe1c432ca1415fa1129f7c1cda3e8febb4dc961763039a774
SHA5127ee326b9621285e412811cd01e829e789a89d8916cd39bb45eed92b82615e8595e704c30cfc674778f929249b387a510e0996c105e81eec56670871ca9da7f79
-
\Users\Public\2176.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
\Users\Public\2176.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
\Users\Public\2176.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
\Users\Public\2176.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
memory/1048-5-0x0000000000000000-mapping.dmp
-
memory/1152-2-0x000007FEF6550000-0x000007FEF67CA000-memory.dmpFilesize
2.5MB
-
memory/1948-3-0x0000000000000000-mapping.dmp