5b8a82fc7209d40dff72c6e53a9cd35f66f2eef949e6cc84c5f24049a1b12a80

General

Target

8272133.xlsb
Size

84KB
MD5

6df494468bdd94b1748fc514bbfdf784
SHA1

d7e2ae2fea1f1bbf8f677f431bd98a39c4bc8039
SHA256

5b8a82fc7209d40dff72c6e53a9cd35f66f2eef949e6cc84c5f24049a1b12a80
SHA512

86fd1323fcb150bf0b85a221d5f5f29d576dfd00b609a34323149c0e4469697ee4226208332311513457186fbb1d94cd5fb6fc5627e8b4a8969b77de31a541e1

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	268	1096	certutil.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	760	1096	rundll32.exe	EXCEL.EXE

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

760 rundll32.exe
760 rundll32.exe
760 rundll32.exe
760 rundll32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
760	rundll32.exe
760	rundll32.exe
760	rundll32.exe
760	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE

pid	process
1096	EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1096 wrote to memory of 268	1096	EXCEL.EXE	certutil.exe
PID 1096 wrote to memory of 268	1096	EXCEL.EXE	certutil.exe
PID 1096 wrote to memory of 268	1096	EXCEL.EXE	certutil.exe
PID 1096 wrote to memory of 268	1096	EXCEL.EXE	certutil.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe
PID 1096 wrote to memory of 760	1096	EXCEL.EXE	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8272133.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\ngs.txt C:\Users\Public\ngs.dll
2⤵
- Process spawned unexpected child process
PID:268

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\ngs.dll,Bi
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ngs.dll
MD5
4b0260238ebc3505d81084bbdc912912

SHA1
88e203c30ff8eb3e8051b19a516ebb0cf33e4531

SHA256
df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f

SHA512
88e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2

Download Submit
C:\Users\Public\ngs.txt
MD5
a36fa35b637d92564f3c04a00f250513

SHA1
035b9ca474094ec1239a98014441cd0dca19fa4f

SHA256
42bd1b9f1d7b902e287eeec108d7375a7cbcb91c381bd98dc4a369286c517aa7

SHA512
2fd811c88af97c0625f8dc89ff335b61d4be3ffe4c6a85aaf42a80cb4f956bc68a65c270a5ea6e9b4764cc6d8acab1e9be677d1bd51e3dca8f75f997f73e3d95

Download Submit
\Users\Public\ngs.dll
MD5
4b0260238ebc3505d81084bbdc912912

SHA1
88e203c30ff8eb3e8051b19a516ebb0cf33e4531

SHA256
df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f

SHA512
88e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2

Download Submit
\Users\Public\ngs.dll
MD5
4b0260238ebc3505d81084bbdc912912

SHA1
88e203c30ff8eb3e8051b19a516ebb0cf33e4531

SHA256
df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f

SHA512
88e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2

Download Submit
\Users\Public\ngs.dll
MD5
4b0260238ebc3505d81084bbdc912912

SHA1
88e203c30ff8eb3e8051b19a516ebb0cf33e4531

SHA256
df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f

SHA512
88e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2

Download Submit
\Users\Public\ngs.dll
MD5
4b0260238ebc3505d81084bbdc912912

SHA1
88e203c30ff8eb3e8051b19a516ebb0cf33e4531

SHA256
df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f

SHA512
88e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2

Download Submit
memory/268-3-0x0000000000000000-mapping.dmp

Download
memory/760-5-0x0000000000000000-mapping.dmp

Download
memory/1740-2-0x000007FEF8040000-0x000007FEF82BA000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads