3e43ec6538c8a8e0e3eee05ddfe1f304e9d42c9647c7df186c61c5e2d3c6218d

General

Target

Documents_2107120546.xls
Size

273KB
MD5

ab63a0153a6fe4e139ad83a6ffbab090
SHA1

1995e0863944a36b315a04b3ad7d073d50e16d05
SHA256

3e43ec6538c8a8e0e3eee05ddfe1f304e9d42c9647c7df186c61c5e2d3c6218d
SHA512

b2bd1ed261d87760265f82304f6feb4981d994217350325bb3e8715355f8acdeb782936861b18513544f8873ee344699670415d3e74798fa18ac256dad200a78

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	296	1048	rundll32.exe	EXCEL.EXE

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

34 3868 msiexec.exe
36 3868 msiexec.exe
38 3868 msiexec.exe
40 3868 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3028 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3028 set thread context of 3868 3028 rundll32.exe msiexec.exe

flow	pid	process
34	3868	msiexec.exe
36	3868	msiexec.exe
38	3868	msiexec.exe
40	3868	msiexec.exe

pid	process
3028	rundll32.exe

description	pid	process	target process
PID 3028 set thread context of 3868	3028	rundll32.exe	msiexec.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1048 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 3868 msiexec.exe
Token: SeSecurityPrivilege 3868 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	3868	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 1048 wrote to memory of 296	1048	EXCEL.EXE	rundll32.exe
PID 1048 wrote to memory of 296	1048	EXCEL.EXE	rundll32.exe
PID 296 wrote to memory of 3028	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 3028	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 3028	296	rundll32.exe	rundll32.exe
PID 3028 wrote to memory of 3868	3028	rundll32.exe	msiexec.exe
PID 3028 wrote to memory of 3868	3028	rundll32.exe	msiexec.exe
PID 3028 wrote to memory of 3868	3028	rundll32.exe	msiexec.exe
PID 3028 wrote to memory of 3868	3028	rundll32.exe	msiexec.exe
PID 3028 wrote to memory of 3868	3028	rundll32.exe	msiexec.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents_2107120546.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\sfdgsd.dss,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\sfdgsd.dss,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sfdgsd.dss

MD5
c6b02277b3dd7e0fd1133cf9290cdef6

SHA1
754cc1546ceafe9f62db188e214d5696aed609d5

SHA256
d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c

SHA512
e5702c48ce1dcdde8c059502f4c316ec31dd02ff0995ce33ebadbca913d31d0e213089c162e8cdbe356f7ca806e00ffe5f00f4ccc7ed97b6a09966fad392a701

Download Submit
\Users\Admin\sfdgsd.dss

MD5
c6b02277b3dd7e0fd1133cf9290cdef6

SHA1
754cc1546ceafe9f62db188e214d5696aed609d5

SHA256
d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c

SHA512
e5702c48ce1dcdde8c059502f4c316ec31dd02ff0995ce33ebadbca913d31d0e213089c162e8cdbe356f7ca806e00ffe5f00f4ccc7ed97b6a09966fad392a701

Download Submit
memory/296-7-0x0000000000000000-mapping.dmp

Download
memory/1048-5-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp

Filesize
64KB

Download
memory/1048-6-0x00007FFA6A5A0000-0x00007FFA6ABD7000-memory.dmp

Filesize
6.2MB

Download
memory/1048-2-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp

Filesize
64KB

Download
memory/1048-4-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp

Filesize
64KB

Download
memory/1048-3-0x00007FFA46D50000-0x00007FFA46D60000-memory.dmp

Filesize
64KB

Download
memory/3028-9-0x0000000000000000-mapping.dmp

Download
memory/3028-11-0x0000000073DF0000-0x0000000073E19000-memory.dmp

Filesize
164KB

Download
memory/3028-12-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3868-13-0x0000000000000000-mapping.dmp

Download
memory/3868-14-0x0000000003210000-0x0000000003239000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads