Analysis
-
max time kernel
69s -
max time network
115s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-05-2021 09:04
Behavioral task
behavioral1
Sample
a.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a.xls
Resource
win10v20210408
General
-
Target
a.xls
-
Size
293KB
-
MD5
389033e6344dfd187f5e11eb84879faf
-
SHA1
49e245741d6f4529e729da82573f950e91716e8e
-
SHA256
28aa0371eff399c03d0ba976b8ecd3eb2c191fccd52775c669e37bdfa5eef0bd
-
SHA512
ad8bd29be1b13972db777013e4c5c04be9fd3b66c09efd4a285e83bd6936801258604fcdcd28c3678ff7879f9c7056f28e8136bf037573cad168296821c33695
Malware Config
Extracted
https://atlantisprojects.ca/cheryasd.dll
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1560 684 rundll32.exe EXCEL.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1560 rundll32.exe 820 rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 684 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 684 EXCEL.EXE 684 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 684 EXCEL.EXE 684 EXCEL.EXE 684 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXErundll32.exedescription pid process target process PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 684 wrote to memory of 1560 684 EXCEL.EXE rundll32.exe PID 1560 wrote to memory of 820 1560 rundll32.exe rundll32.exe PID 1560 wrote to memory of 820 1560 rundll32.exe rundll32.exe PID 1560 wrote to memory of 820 1560 rundll32.exe rundll32.exe PID 1560 wrote to memory of 820 1560 rundll32.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\fmfkdnsm.nnd,StartW2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\rundll32.exerundll32 ..\fmfkdnsm.nnd,StartW3⤵
- Loads dropped DLL
PID:820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\fmfkdnsm.nndMD5
5f36a28c2dcba68802994d1b4873e41e
SHA184ce20644fb36b7059d58125da8c900dbf73ba21
SHA25642465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6
SHA5123dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6
-
\Users\Admin\fmfkdnsm.nndMD5
5f36a28c2dcba68802994d1b4873e41e
SHA184ce20644fb36b7059d58125da8c900dbf73ba21
SHA25642465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6
SHA5123dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6
-
\Users\Admin\fmfkdnsm.nndMD5
5f36a28c2dcba68802994d1b4873e41e
SHA184ce20644fb36b7059d58125da8c900dbf73ba21
SHA25642465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6
SHA5123dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6
-
memory/684-60-0x000000002F971000-0x000000002F974000-memory.dmpFilesize
12KB
-
memory/684-61-0x00000000711F1000-0x00000000711F3000-memory.dmpFilesize
8KB
-
memory/684-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/820-67-0x0000000000000000-mapping.dmp
-
memory/1560-63-0x0000000000000000-mapping.dmp
-
memory/1560-64-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB