Analysis
-
max time kernel
69s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-02-2021 20:40
Behavioral task
behavioral1
Sample
Document1094680387_02012021.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document1094680387_02012021.xls
Resource
win10v20201028
General
-
Target
Document1094680387_02012021.xls
-
Size
63KB
-
MD5
9423ee9775707d51960e0eac95b3f6cc
-
SHA1
debc0defc997fde77a2f0cee9b3b1fcbed54ea91
-
SHA256
7034e21128da9ce58c2d5249d3fd73dd766cf90437fa52f79faa50098f359634
-
SHA512
0cff3519c5453bdeb13201849c571cbb142ed6780c2e6cae572104904af1190ff4d4e068ff0109953745b153fc219c618519318cadd4dcac300b3d280643bc53
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 668 776 rundll32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 776 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 776 EXCEL.EXE 776 EXCEL.EXE 776 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe PID 776 wrote to memory of 668 776 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document1094680387_02012021.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\MORI.BAST,DllRegisterServer2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\MORI.BASTMD5
e26ee80220371f5321384cd23c4235c4
SHA1330b69b8e3463651a683419cdcdeb35f79650094
SHA256b0817350c3c25ecf4cfbe28c8839e4c09f3a5b813c96ef62861b707ba2ae1742
SHA5121f486c027cf5fe3efeb9e5601ab43e2201866f28db9226d02cb2727cb29e3b450d171cdd7454982d162dcc495141b86f2c28502678d9cfaa484f666ce116fb5b
-
memory/668-6-0x0000000000000000-mapping.dmp
-
memory/668-7-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/776-2-0x000000002FBC1000-0x000000002FBC4000-memory.dmpFilesize
12KB
-
memory/776-3-0x0000000071371000-0x0000000071373000-memory.dmpFilesize
8KB
-
memory/776-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1780-5-0x000007FEF74B0000-0x000007FEF772A000-memory.dmpFilesize
2.5MB