Analysis
-
max time kernel
71s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-02-2021 11:46
Behavioral task
behavioral1
Sample
document-1087888573.xls
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
document-1087888573.xls
-
Size
315KB
-
MD5
0d16e6e549190be8fa9203dbdb49a86c
-
SHA1
290482b1d71993fbf1b78faa193b4babafb16b89
-
SHA256
adb1792503545b345fb3c79a4c490a5e27de7b13bca2de9fcea8941d239ae3cb
-
SHA512
9d2cbb8ddbf8858882e40efba08063ff7fa6953795f2fd25a4cd3c53a56215074d65b492fc53c34b8e1aa06cb58cca763dcdf2bea5a69c2800c66ae3963f4ab4
Score
10/10
Malware Config
Extracted
Language
xlm4.0
Source
URLs
xlm40.dropper
https://intellectsmart.in/ds/1702.gif
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 744 1824 rundll32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 744 1824 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1087888573.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\woifm.cjd,DllRegisterServer2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-6-0x0000000000000000-mapping.dmp
-
memory/744-7-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/748-5-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmpFilesize
2.5MB
-
memory/1824-2-0x000000002F931000-0x000000002F934000-memory.dmpFilesize
12KB
-
memory/1824-3-0x00000000719D1000-0x00000000719D3000-memory.dmpFilesize
8KB
-
memory/1824-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB