hxxps://drive[.]google[.]com/file/d/11krsKw6Il3FgXhq0fQVfbiqVYp19XnzB/view?usp=sharing

General

Target

https://drive.google.com/file/d/11krsKw6Il3FgXhq0fQVfbiqVYp19XnzB/view?usp=sharing
Sample

210311-6q3g6zejhn

Score

10^/10

macro xlm

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OMGUDWI7\45340.xlsm.b1q6u18.partial	office_xlm_macros

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 18116546bf16d701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEEXCEL.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B704621-82B2-11EB-9E5C-424ABE5A776C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000330fab84dcf2a943b18c1e2f84527e98000000000200000000001066000000010000200000008c0b659d5f2a67ddd1e02e5a7059da9dc7f45b1c0d115ffa9e7016a9d5788ea8000000000e80000000020000200000007d4798aa3a96bb0d08a5594b6486cb126b7c3b5024e291e196acc1d7bd3da0fd200000002b01e04e64fe824738da5f3b6a10fb09207c923f8509d42e6ca99429c542c18b400000009734c1cc4e34d13d9a1a96a07a38ff26e7d135ebfba2df979224311665b234c9ae5261a66024da384a80245cbdd8e795e14b6dc70d2644000179001786ac9482	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\drive.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000330fab84dcf2a943b18c1e2f84527e98000000000200000000001066000000010000200000005bbd2d68fb19f7352ccaf4facd2b9bf7a85bc5d3b35eda762b9a245623086319000000000e8000000002000020000000b6a45c1e2521184e4140e544e0c5823a10b21c8de857e982fb85899544d00d0690000000dfca56e0083f020cccba0fe362a6901c9fab02bc5276412afbd2fcfedd347fd1ba16b9e0f8e9f242685011eb6d51e581047ac6e11228f979862369911fe14de2e11f0d3163433e65da1f286252c77e4de89b128865ebe534333a1a490732710d5349d59858ca7dec528eb3d9970054a2875f01a7347d667823f205d3029618112c00ec1d14082dcf0e92f24f18e04a50400000006aa829a32e1ac827b703705e50e72ae98cd6a1ca5f68b0fd1a9fa0cca9f71947bbeb71d7f79da728a935df47c61f608d825931e094c875a3cb7f4ee0db37d862	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "322263840"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805e1e54bf16d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

804 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1932 iexplore.exe
1932 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

iexplore.exe

pid process

1932 iexplore.exe

pid	process
804	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEEXCEL.EXE

pid	process
1932	iexplore.exe
1932	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1932 wrote to memory of 1800	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1800	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1800	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1800	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1480	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1480	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1480	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1480	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE
PID 1932 wrote to memory of 804	1932	iexplore.exe	EXCEL.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/11krsKw6Il3FgXhq0fQVfbiqVYp19XnzB/view?usp=sharing
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:668676 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1c67b61dfb1d4a83dd74fd8eff0c5e52

SHA1
820c04757e835e414c397b65fc95469eacb973d9

SHA256
8a2f0234c33e0bbb8b74259d870a1d3689a85fe160d3c4c8af8160051d979777

SHA512
abfde59d2649ff9ac009184b87eaed50d4ec3d1774075cd3e0a124a25b5552dd3ba5cd5a04908def0e4cf6907f191be52931413561894ba0578971d19e8304d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
88d5acb86f9de587a9bb704d9343bdee

SHA1
75b12fd88b0975665a00bed1460c0d6bdba317d2

SHA256
65afae60fa5685ef373f0468d3de5183116f5a3db07343ae751922846113d2e4

SHA512
ef6fad5d8a4fac1f4782b8d42bbf7b7805a46fbe13b7a21e5381d43d9608f179e3beed743512f34b5c544cd28f8dfc4ceaa26d422ffe089ca5d8e99969b9607e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OMGUDWI7\45340.xlsm.b1q6u18.partial
MD5
9b632bcee0e0f7c7b284f310fca3d724

SHA1
68d4a30d326fb48a44df2c020e59c5579779c18d

SHA256
326f7eeebdab427a01af2d2b831b8534c53f6558104462a809ed766ba7c4fcf0

SHA512
a89140d555a1818116f348441f22eccdde36806ca85a742d32a3f575b8fab71ea7d30301030451364d3392bdb3fdb33b4e06b753ebbf9e61c786df199ddc9d89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F0Z66OCT.txt
MD5
33331b7f4a10aa6f8bc9fac844f54f01

SHA1
287e381e13cc349d9f8949b8b33ba5200950e3b6

SHA256
301a6293f6a78c9c2c99db486125fab525f009941faf20866536fb6dcc1314ae

SHA512
adb2f6e3097dad0bc67375ac830998abea5d3b3e1cc3c0c70a577edd1ac46f84f593bb637dba5f2c6c063a962eda14d89a8f169676ac4e856b772a00be5ebf90

Download Submit
memory/804-10-0x0000000000000000-mapping.dmp

Download
memory/804-13-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/804-12-0x000000006E5F1000-0x000000006E5F3000-memory.dmp

Filesize
8KB

Download
memory/804-11-0x000000002F7E1000-0x000000002F7E4000-memory.dmp

Filesize
12KB

Download
memory/1480-5-0x0000000000000000-mapping.dmp

Download
memory/1480-6-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1800-3-0x0000000000000000-mapping.dmp

Download
memory/1932-8-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1972-2-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads