Analysis
-
max time kernel
136s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 07:19
Behavioral task
behavioral1
Sample
maybeice.xlsb
Resource
win7v20201028
Behavioral task
behavioral2
Sample
maybeice.xlsb
Resource
win10v20201028
General
-
Target
maybeice.xlsb
-
Size
80KB
-
MD5
79f07a91462a30ffd08e5d5df0b818f4
-
SHA1
c257b63ed7184c9da9c59318f927a9c948d88261
-
SHA256
547477332bd0dde997b697e6f74110ff4af5b41ad0d71dee3d3f51d4c3db3bc5
-
SHA512
f87242140303ff78e38c642af7416deb078781af3864f7e52b5867f8a792437d48478d169ec291947290515d9d5ba92b8dd92821dcbbaa049e0b66f87ff322a2
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4228 4760 certutil.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1256 4760 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 21 1372 rundll32.exe 23 1372 rundll32.exe 24 1372 rundll32.exe 26 1372 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1372 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4760 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4760 EXCEL.EXE 4760 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE 4760 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 4760 wrote to memory of 4228 4760 EXCEL.EXE certutil.exe PID 4760 wrote to memory of 4228 4760 EXCEL.EXE certutil.exe PID 4760 wrote to memory of 1256 4760 EXCEL.EXE rundll32.exe PID 4760 wrote to memory of 1256 4760 EXCEL.EXE rundll32.exe PID 1256 wrote to memory of 1372 1256 rundll32.exe rundll32.exe PID 1256 wrote to memory of 1372 1256 rundll32.exe rundll32.exe PID 1256 wrote to memory of 1372 1256 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\maybeice.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decodehex C:\Users\Public\4646.txt C:\Users\Public\4646.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\4646.dll,D2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\4646.dll,D3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\4646.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
C:\Users\Public\4646.txtMD5
652620d75f7d14f0b5fb7adaef835c11
SHA1be88d1a4be7db5170f26cb3068783cb78ad92cf4
SHA256c8f9a6c0d639d9dbe1c432ca1415fa1129f7c1cda3e8febb4dc961763039a774
SHA5127ee326b9621285e412811cd01e829e789a89d8916cd39bb45eed92b82615e8595e704c30cfc674778f929249b387a510e0996c105e81eec56670871ca9da7f79
-
\Users\Public\4646.dllMD5
09aa345445d3b9770f913be946a56738
SHA12c745814ef7f3e1cefe6e468532422c5d0071aeb
SHA25637998fece4feb0a46bed59ef538fbfc61c457fa0187e42643e4a42aec94dbf77
SHA512054ed6d18943f6b581d39aef83b57179b1091344bf60ca7cdd060b10e62b693087076d77433353503685be96d94a19dde84c20c4db0d9c025280d90c716bb2f9
-
memory/1256-5-0x0000000000000000-mapping.dmp
-
memory/1372-7-0x0000000000000000-mapping.dmp
-
memory/4228-3-0x0000000000000000-mapping.dmp
-
memory/4760-2-0x00007FF942060000-0x00007FF942697000-memory.dmpFilesize
6.2MB