Resubmissions
28-02-2021 17:05
210228-pjgnbjwth2 827-02-2021 12:13
210227-bpkha5za7s 827-02-2021 04:19
210227-7c1xkzg346 1027-02-2021 03:32
210227-2xwvzgykxs 827-02-2021 03:29
210227-qgrlcph782 827-02-2021 03:16
210227-k82qfdjlve 827-02-2021 02:45
210227-mjxh7bv4wj 827-02-2021 02:23
210227-w6qfkjy5ha 827-02-2021 02:06
210227-r385kvgs32 826-02-2021 23:10
210226-yds8gthfax 8Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 17:05
Behavioral task
behavioral1
Sample
Doc_3744.xls
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Doc_3744.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Doc_3744.xls
-
Size
62KB
-
MD5
47e22049644647ee854cedfe077156e7
-
SHA1
20ad9f47616a8272dece2ec1039a88c09412c97c
-
SHA256
5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a
-
SHA512
1eeb87173378f4d0e157ee42f5b28e48ff84a35b44d71f004a6180cc2bdbc09e45c071adc7ab0a94c75071fbe3ee13b939ee8cb216b6f2e06c9c24ca34dbbf1b
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "23" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1920" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "321300726" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://login.live.com/" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url8 = 0000000000000000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://juvgays.com/" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "1975" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1981" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://google.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "23" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "23" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "887" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url8 = "https://twitter.com/" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url8 = "https://login.live.com/" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009c93870f2a3dd4082dc1f3b0d06483000000000020000000000106600000001000020000000e7560bd721f9de43d87b79d2fbc52b00e595cd051f623ff4b73954cf1fb04c57000000000e8000000002000020000000613c3c48ad7d832419c08bdffea0d29e3a36ffc2c4e32b5d4cbe2c48898e564820000000aea4da8648053913cd45d2cbcc59c7ad56d3d1aecbd067f780789a43b54aa5c440000000fdf382d0b4843b5a0306b2d051edaf43551e1565da7ea489d9250afed0cef652ff026fab134e7525ad794d28538573d240c298ad715eb7b51c8d121811410ed9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "321317320" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "321349312" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1975" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url9 = 0000000000000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "1939" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009c93870f2a3dd4082dc1f3b0d064830000000000200000000001066000000010000200000009561f56d7a05376aa7bf06b2eabd25506924b6e938152320143530102584f24e000000000e80000000020000200000006fab258025c92c809fdf01aa3c08c503ceddfebc4b0b330a26e4cfeb44318b8920000000656cff8475f444ad7530ee25dbbe6d782d0711389104a0a3443dc46f981b402b400000007424b5a4f720d2e8519dbff1c053ffcfb3eae29ca6dc08879ecad4648dbb94c5507ef5aed0c489bd99207fe28b6c9b9c8adf5345df2c814c76d1c975a16c138e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009c93870f2a3dd4082dc1f3b0d064830000000000200000000001066000000010000200000005c0c680e8b8e83e38980860752264280982ad4cb3f21c7305b44efedcab738d0000000000e8000000002000020000000f4cb7047347ea257bba7f56c8d8aa9bf0f2a7e5745df8c8148989b42b5eaaf74200000005150e9a486379ccb8cca199ded7de2d2d09c1ba42d667a00cb373ad31c427ad240000000526744f258e57108278c623e98d385e987245afc26c6dc39d835c336455d3dd9224b5aa88ed281a93e95bc3f097e23db18ba2d1074fe6e683e693610ddf67d9d iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = b3d270dffc0dd701 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "32" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.aliexpress.com/" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b08feffc0dd701 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D4B0788-79F0-11EB-B59A-420BDBE9923E} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 799500eefc0dd701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30871036" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "1975" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3788281636" iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 880 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2116 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 648 iexplore.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 648 iexplore.exe 648 iexplore.exe 880 EXCEL.EXE 880 EXCEL.EXE 2116 IEXPLORE.EXE 2116 IEXPLORE.EXE 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 648 iexplore.exe 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 880 EXCEL.EXE 2116 IEXPLORE.EXE 2116 IEXPLORE.EXE 4300 IEXPLORE.EXE 4300 IEXPLORE.EXE 648 iexplore.exe 648 iexplore.exe 648 iexplore.exe 648 iexplore.exe 648 iexplore.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 648 wrote to memory of 2116 648 iexplore.exe 80 PID 648 wrote to memory of 2116 648 iexplore.exe 80 PID 648 wrote to memory of 2116 648 iexplore.exe 80 PID 648 wrote to memory of 4300 648 iexplore.exe 88 PID 648 wrote to memory of 4300 648 iexplore.exe 88 PID 648 wrote to memory of 4300 648 iexplore.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_3744.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:880
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:648 CREDAT:82945 /prefetch:22⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:648 CREDAT:148483 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4300
-