Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 15:54
Behavioral task
behavioral1
Sample
PQ_7498.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PQ_7498.xls
Resource
win10v20201028
General
-
Target
PQ_7498.xls
-
Size
33KB
-
MD5
20ce34e6dfd1f17d5e1e8564167c23bd
-
SHA1
984045d9a670b781f4712611c87cc191380ef6f9
-
SHA256
f9adf499bc16bfd096e00bc59c3233f022dec20c20440100d56e58610e4aded3
-
SHA512
ef7fddfbbdb40f6b75d838397cad454a51822cbfec5e2dfbb8401784c518de74e9d707f9c44db2054be208735dba903035f1b75d7384fec5dc4c78275494514b
Malware Config
Extracted
http://indiamedicalshow.com/visitors.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1980 1864 rundll32.exe EXCEL.EXE -
JavaScript code in executable 2 IoCs
Processes:
yara_rule js C:\Users\Public\Documents\KsB.txt js -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1864 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 1864 EXCEL.EXE 1864 EXCEL.EXE 1864 EXCEL.EXE 1864 EXCEL.EXE 1864 EXCEL.EXE 1864 EXCEL.EXE 1864 EXCEL.EXE 1864 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe PID 1864 wrote to memory of 1980 1864 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PQ_7498.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\KsB.txt,DllRegisterServer2⤵
- Process spawned unexpected child process
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\KsB.txtMD5
4e5ce89c3b918418f0ba2877ddbac681
SHA1836a131d71181eaeef36a5335433401aa9d5336e
SHA256785ecbcaf597a8ac22c6a80a3c11f6927dfe6b6bceff2fa8a121df2484b20e33
SHA5129724b5f2d225e1eaa8b591794ffb16a4fb79497eaf9b9040637ca5174ca8fb91f8406f9fc1941e9fd379e8bcd8c742196f8c66e39d871c71ab1715d508eecaec
-
memory/968-5-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmpFilesize
2.5MB
-
memory/1864-2-0x000000002FBA1000-0x000000002FBA4000-memory.dmpFilesize
12KB
-
memory/1864-3-0x0000000071201000-0x0000000071203000-memory.dmpFilesize
8KB
-
memory/1864-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1980-6-0x0000000000000000-mapping.dmp
-
memory/1980-7-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB