Analysis
-
max time kernel
106s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-04-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.10624.9849.xlsm
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.10624.9849.xlsm
Resource
win10v20210408
General
-
Target
SecuriteInfo.com.Heur.10624.9849.xlsm
-
Size
144KB
-
MD5
060d95988fc565133a252aadc91ea24f
-
SHA1
59a2f22c0c6622b2074f2fa59a1136b430aaffb3
-
SHA256
b6430f1c70dd393e02aadb47cb51716844f13bc53dc5258887d6c257a01c5563
-
SHA512
d178fac514d78d334271fe28ba0c92be8cbfbb4240ce1e725effb0458e28f259e3a2b6983e46f7a17e4fd1a862e9a99e8f1061983057e10dd2dc6f479782155f
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1612 1200 rundll32.exe EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1200 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1200 EXCEL.EXE 1200 EXCEL.EXE 1200 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe PID 1200 wrote to memory of 1612 1200 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.10624.9849.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\27894..dll" JsVarAddRef2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\27894..dllMD5
df29e144de68ecae1a42a1afcfc67d95
SHA1e48581793b86655d6fc4064c24a421d6e23ddcb3
SHA256d4b8dc3bf6cebc6063b4eae92130c2f1b6e66b5a241745dc069277b710c6faac
SHA5124e1826f0ecfc05fc549d621e6c9789769f72590ed986dd2bfbccef0f89b2e4ae128134ab6541c7f0e81faecc606b74bdf767d3f682af64ad3a52a67342596897
-
memory/1200-60-0x000000002F711000-0x000000002F714000-memory.dmpFilesize
12KB
-
memory/1200-61-0x0000000071AD1000-0x0000000071AD3000-memory.dmpFilesize
8KB
-
memory/1200-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1200-66-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1612-63-0x0000000000000000-mapping.dmp
-
memory/1612-64-0x00000000768B1000-0x00000000768B3000-memory.dmpFilesize
8KB