Resubmissions
14-04-2021 05:08
210414-2h2gjv4lte 1015-01-2021 07:27
210115-psaae3dxjj 1027-10-2020 21:10
201027-xsnh8cl69j 10Analysis
-
max time kernel
291s -
max time network
292s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 07:27
Behavioral task
behavioral1
Sample
8272133.xlsb
Resource
win7v20201028
General
-
Target
8272133.xlsb
-
Size
84KB
-
MD5
6df494468bdd94b1748fc514bbfdf784
-
SHA1
d7e2ae2fea1f1bbf8f677f431bd98a39c4bc8039
-
SHA256
5b8a82fc7209d40dff72c6e53a9cd35f66f2eef949e6cc84c5f24049a1b12a80
-
SHA512
86fd1323fcb150bf0b85a221d5f5f29d576dfd00b609a34323149c0e4469697ee4226208332311513457186fbb1d94cd5fb6fc5627e8b4a8969b77de31a541e1
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 268 1096 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 760 1096 rundll32.exe EXCEL.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE 1096 EXCEL.EXE 1096 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1096 wrote to memory of 268 1096 EXCEL.EXE certutil.exe PID 1096 wrote to memory of 268 1096 EXCEL.EXE certutil.exe PID 1096 wrote to memory of 268 1096 EXCEL.EXE certutil.exe PID 1096 wrote to memory of 268 1096 EXCEL.EXE certutil.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe PID 1096 wrote to memory of 760 1096 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8272133.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\ngs.txt C:\Users\Public\ngs.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\ngs.dll,Bi2⤵
- Process spawned unexpected child process
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ngs.dllMD5
4b0260238ebc3505d81084bbdc912912
SHA188e203c30ff8eb3e8051b19a516ebb0cf33e4531
SHA256df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f
SHA51288e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2
-
C:\Users\Public\ngs.txtMD5
a36fa35b637d92564f3c04a00f250513
SHA1035b9ca474094ec1239a98014441cd0dca19fa4f
SHA25642bd1b9f1d7b902e287eeec108d7375a7cbcb91c381bd98dc4a369286c517aa7
SHA5122fd811c88af97c0625f8dc89ff335b61d4be3ffe4c6a85aaf42a80cb4f956bc68a65c270a5ea6e9b4764cc6d8acab1e9be677d1bd51e3dca8f75f997f73e3d95
-
\Users\Public\ngs.dllMD5
4b0260238ebc3505d81084bbdc912912
SHA188e203c30ff8eb3e8051b19a516ebb0cf33e4531
SHA256df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f
SHA51288e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2
-
\Users\Public\ngs.dllMD5
4b0260238ebc3505d81084bbdc912912
SHA188e203c30ff8eb3e8051b19a516ebb0cf33e4531
SHA256df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f
SHA51288e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2
-
\Users\Public\ngs.dllMD5
4b0260238ebc3505d81084bbdc912912
SHA188e203c30ff8eb3e8051b19a516ebb0cf33e4531
SHA256df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f
SHA51288e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2
-
\Users\Public\ngs.dllMD5
4b0260238ebc3505d81084bbdc912912
SHA188e203c30ff8eb3e8051b19a516ebb0cf33e4531
SHA256df6228d7e1d1651ecb3e00582170bbc639e5d2d683967d4f96b33f46772b825f
SHA51288e241a2b377b913e7bd63e3de52dbe1748cdd954a647c76d69547c385bc16cc101255a414d0ccfb56ad7cd5590e7b396dfc0309d56ca9ece4b3e38ce7552ae2
-
memory/268-3-0x0000000000000000-mapping.dmp
-
memory/760-5-0x0000000000000000-mapping.dmp
-
memory/1740-2-0x000007FEF8040000-0x000007FEF82BA000-memory.dmpFilesize
2.5MB