Analysis
-
max time kernel
118s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-03-2021 15:42
Behavioral task
behavioral1
Sample
subscription_1616167805.xlsb
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
subscription_1616167805.xlsb
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
subscription_1616167805.xlsb
-
Size
328KB
-
MD5
d17e780a23c19a5ce5c2a0d4abc19b55
-
SHA1
d3d73e9f08cb6d880dc163149d352a197dac7300
-
SHA256
056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7
-
SHA512
df94d5473166e9d73ee27a37793fa3bbdee409692cee61696b3dd7bf79c3604da14a09a7e27becf17fd59ab267fd8f6548026b7d5da232253800f0ee94602cab
Malware Config
Extracted
Language
xlm4.0
Source
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1792 2044 cmd.exe 24 -
Nloader Payload 4 IoCs
resource yara_rule behavioral1/memory/748-14-0x0000000000130000-0x0000000000139000-memory.dmp nloader behavioral1/memory/748-15-0x0000000010000000-0x0000000010007000-memory.dmp nloader behavioral1/memory/748-16-0x0000000000150000-0x0000000000155000-memory.dmp nloader behavioral1/memory/748-17-0x0000000000120000-0x0000000000126000-memory.dmp nloader -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 748 rundll32.exe 5 748 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 696 klga.exe -
Loads dropped DLL 3 IoCs
pid Process 748 rundll32.exe 748 rundll32.exe 748 rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2044 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2044 EXCEL.EXE 2044 EXCEL.EXE 2044 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1792 2044 EXCEL.EXE 27 PID 2044 wrote to memory of 1792 2044 EXCEL.EXE 27 PID 2044 wrote to memory of 1792 2044 EXCEL.EXE 27 PID 2044 wrote to memory of 1792 2044 EXCEL.EXE 27 PID 1792 wrote to memory of 1768 1792 cmd.exe 29 PID 1792 wrote to memory of 1768 1792 cmd.exe 29 PID 1792 wrote to memory of 1768 1792 cmd.exe 29 PID 1792 wrote to memory of 1768 1792 cmd.exe 29 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 1792 wrote to memory of 748 1792 cmd.exe 30 PID 748 wrote to memory of 696 748 rundll32.exe 35 PID 748 wrote to memory of 696 748 rundll32.exe 35 PID 748 wrote to memory of 696 748 rundll32.exe 35 PID 748 wrote to memory of 696 748 rundll32.exe 35
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1616167805.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0 && rundll32 C:\Users\Public\1171.0,DF2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\certutil.execertutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.03⤵PID:1768
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\1171.0,DF3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\ProgramData\klga\klga.exe"C:\ProgramData\klga\klga.exe"4⤵
- Executes dropped EXE
PID:696
-
-
-