Analysis
-
max time kernel
74s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 12:29
Behavioral task
behavioral1
Sample
document-386407988.xls
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
document-386407988.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
document-386407988.xls
-
Size
39KB
-
MD5
1fa4dc11ca13bb6b0007697ea948d103
-
SHA1
34490a498d48b0aa3a8714811f72359f1e68b633
-
SHA256
d90f43e55fea4004620ef90b8a8440493e23e4035b208afaaff7262453217903
-
SHA512
0852782c9db46fff15a6a5c82f29f79d49593ae0109109aa3d0e186ab1a3c7ab0e440a4803b847bd36c75132a71fe0ceb9332aac0d8ba2e6c1bd2b65356bdf87
Score
10/10
Malware Config
Extracted
Language
xlm4.0
Source
URLs
xlm40.dropper
http://dzw10jpcgj03fckc.com/inda.xls
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1156 292 rundll32.exe EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 292 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 292 EXCEL.EXE 292 EXCEL.EXE 292 EXCEL.EXE 292 EXCEL.EXE 292 EXCEL.EXE 292 EXCEL.EXE 292 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1156 292 EXCEL.EXE rundll32.exe PID 292 wrote to memory of 1636 292 EXCEL.EXE splwow64.exe PID 292 wrote to memory of 1636 292 EXCEL.EXE splwow64.exe PID 292 wrote to memory of 1636 292 EXCEL.EXE splwow64.exe PID 292 wrote to memory of 1636 292 EXCEL.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-386407988.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\fkruf.djr,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-2-0x000000002F411000-0x000000002F414000-memory.dmpFilesize
12KB
-
memory/292-3-0x0000000071CE1000-0x0000000071CE3000-memory.dmpFilesize
8KB
-
memory/292-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/292-5-0x0000000002050000-0x0000000002051000-memory.dmpFilesize
4KB
-
memory/1156-8-0x0000000000000000-mapping.dmp
-
memory/1156-9-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/1636-10-0x0000000000000000-mapping.dmp
-
memory/1636-11-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1752-7-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmpFilesize
2.5MB