Analysis
-
max time kernel
71s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-03-2021 04:45
Behavioral task
behavioral1
Sample
詳細情報.xlsb
Resource
win7v20201028
General
-
Target
詳細情報.xlsb
-
Size
153KB
-
MD5
cb5a37aac155775daed9abcfd680f39c
-
SHA1
75cfc87fe3f6f517e684729a558358fd5d492599
-
SHA256
426edb65615875c5f8fd31118142f0b3d2e29b360a7995d69d58803e61c1f81e
-
SHA512
cd12773f8a606b0e04e7e02f4b8f1abab1c8efb13008ee6134771954c857f32df6dfd7f74b5a43d206eae40ceac4219e09910c22918a02f2a57e95f747d9b39f
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1612 1856 certutil.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1772 1856 rundll32.exe EXCEL.EXE -
Nloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1772-13-0x00000000001C0000-0x00000000001C9000-memory.dmp nloader behavioral1/memory/1772-14-0x0000000010000000-0x0000000010007000-memory.dmp nloader behavioral1/memory/1772-17-0x00000000001B0000-0x00000000001B7000-memory.dmp nloader -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1772 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1760 1772 WerFault.exe rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1856 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1760 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 1856 wrote to memory of 1612 1856 EXCEL.EXE certutil.exe PID 1856 wrote to memory of 1612 1856 EXCEL.EXE certutil.exe PID 1856 wrote to memory of 1612 1856 EXCEL.EXE certutil.exe PID 1856 wrote to memory of 1612 1856 EXCEL.EXE certutil.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1856 wrote to memory of 1772 1856 EXCEL.EXE rundll32.exe PID 1772 wrote to memory of 1760 1772 rundll32.exe WerFault.exe PID 1772 wrote to memory of 1760 1772 rundll32.exe WerFault.exe PID 1772 wrote to memory of 1760 1772 rundll32.exe WerFault.exe PID 1772 wrote to memory of 1760 1772 rundll32.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\詳細情報.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi1635.png C:\Users\Public\jahi1635.pn2⤵
- Process spawned unexpected child process
PID:1612
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi1635.pn,DF j12⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 3323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8a9a8739404210e7e454dc2466872f23
SHA1a3dbb6cb1eed87147f734c933e087bd66954ca18
SHA2568229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4
SHA5122479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e
-
MD5
a72d21e3af2cefc6ce364953a8e2d8b5
SHA134ed7ede30fee07b0bf64b56404bd5d43dad0be9
SHA2560bd28eb6cbff3d7344f3e5718729ada8317edcf16e231f925dafd964cc44dcad
SHA512606b0694680d5c4b350bc2c48b3e15399fcd94ced1977f5d423a58af2c789d72dc19e9371f1db0b7d0c953b211785851e19666dcd347d8a6a03b325eddbc4ec1
-
MD5
8a9a8739404210e7e454dc2466872f23
SHA1a3dbb6cb1eed87147f734c933e087bd66954ca18
SHA2568229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4
SHA5122479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e