Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-03-2021 13:36
Behavioral task
behavioral1
Sample
Attachment_98708.xlsb
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Attachment_98708.xlsb
Resource
win10v20201028
General
-
Target
Attachment_98708.xlsb
-
Size
197KB
-
MD5
dd5169f2cfc9499eb9eef5ddf6862fb9
-
SHA1
e3730d93ee0d88808dbe566c84bca090a3fe7dcc
-
SHA256
56de3c08f5bebe5e57a644e893eb944479991c2bf3c9e814572b53313e16c28d
-
SHA512
577d9a6c7eab62aa87e779ebba4e8451fcac7fd8c8b9d8cdc04ba1bd42b889fa1652fc30c72481cfde7c63722e0943202a576e6e37b165d6289413fb3c8c0434
Malware Config
Extracted
http://195.123.219.21/campo/t3/t3
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1144 2008 rundll32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe PID 2008 wrote to memory of 1144 2008 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Attachment_98708.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\uoxv\86.dll,DllRegisterServer12⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uoxv\86.dllMD5
f924307585414b492a92b88549e508ef
SHA1a0e02d0b6a2df0dafb673cb24eb7bfa2c98878cf
SHA25656ba39ea806f85b94fc19aaaf4ca0fdcf920418568cdca3e026d83dd936b8aeb
SHA5129396ef1403ba389650b95953dcc0d96465ee22f4fc013af2968b78da96c7c903a715e32cec344e3a80d22aea4705d732a2416b1e233c7868b396bd07a7252dd3
-
memory/1144-6-0x0000000000000000-mapping.dmp
-
memory/1144-7-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB
-
memory/1764-5-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmpFilesize
2.5MB
-
memory/2008-2-0x000000002F821000-0x000000002F824000-memory.dmpFilesize
12KB
-
memory/2008-3-0x0000000070FA1000-0x0000000070FA3000-memory.dmpFilesize
8KB
-
memory/2008-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB