Analysis
-
max time kernel
101s -
max time network
67s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 23:42
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.29862.20151.xlsm
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.29862.20151.xlsm
Resource
win10v20210408
General
-
Target
SecuriteInfo.com.Heur.29862.20151.xlsm
-
Size
170KB
-
MD5
b0a053930116048ce5ba43eb505513ee
-
SHA1
8a22f50fd65575975722cee6169f51e3e497b2e6
-
SHA256
2db9aba962314d68dd87dd2404ce6533cd28e5bbc2098c591fc23b018c3a3982
-
SHA512
e9511026d1e7ccf35ec610e7a9664a706610273dd43112ba0b90e531e03cec1c49eb4a4a3c7a093b0e320c718523e15a07ad7221ab5127edf5b7b5180e876249
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1600 1360 rundll32.exe EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1360 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe PID 1360 wrote to memory of 1600 1360 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.29862.20151.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\24228..dll" JsVarAddRef2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\24228..dllMD5
6cee0e603d9fe063dcf31a045b56ff2b
SHA1415bbe79c86fa402740a01b7a019091388c1b392
SHA2569e9b5e351532b5894ada203ace2d277420f3c11dda71a54316892115f63df7b3
SHA512c68e35a62f551fed7adcd3dcb041a23a43bfb5c217641158f2979c8fe69f736a94dde64186f9a103f987098a164bd34928500d92df63e3fbe1a7317d7a59c3ab
-
memory/1360-59-0x000000002FE61000-0x000000002FE64000-memory.dmpFilesize
12KB
-
memory/1360-60-0x0000000070E41000-0x0000000070E43000-memory.dmpFilesize
8KB
-
memory/1360-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1360-65-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1600-62-0x0000000000000000-mapping.dmp
-
memory/1600-63-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB