28aa0371eff399c03d0ba976b8ecd3eb2c191fccd52775c669e37bdfa5eef0bd

General

Target

a.xls
Size

293KB
MD5

389033e6344dfd187f5e11eb84879faf
SHA1

49e245741d6f4529e729da82573f950e91716e8e
SHA256

28aa0371eff399c03d0ba976b8ecd3eb2c191fccd52775c669e37bdfa5eef0bd
SHA512

ad8bd29be1b13972db777013e4c5c04be9fd3b66c09efd4a285e83bd6936801258604fcdcd28c3678ff7879f9c7056f28e8136bf037573cad168296821c33695

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://atlantisprojects.ca/cheryasd.dll

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1560	684	rundll32.exe	EXCEL.EXE

Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1560 rundll32.exe
820 rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1560	rundll32.exe
820	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

684 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

684 EXCEL.EXE
684 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

684 EXCEL.EXE
684 EXCEL.EXE
684 EXCEL.EXE

pid	process
684	EXCEL.EXE

pid	process
684	EXCEL.EXE
684	EXCEL.EXE

pid	process
684	EXCEL.EXE
684	EXCEL.EXE
684	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXErundll32.exe

description	pid	process	target process
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 684 wrote to memory of 1560	684	EXCEL.EXE	rundll32.exe
PID 1560 wrote to memory of 820	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 820	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 820	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 820	1560	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\fmfkdnsm.nnd,StartW
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\rundll32.exe
rundll32 ..\fmfkdnsm.nnd,StartW
3⤵
- Loads dropped DLL
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fmfkdnsm.nnd
MD5
5f36a28c2dcba68802994d1b4873e41e

SHA1
84ce20644fb36b7059d58125da8c900dbf73ba21

SHA256
42465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6

SHA512
3dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6

Download Submit
\Users\Admin\fmfkdnsm.nnd
MD5
5f36a28c2dcba68802994d1b4873e41e

SHA1
84ce20644fb36b7059d58125da8c900dbf73ba21

SHA256
42465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6

SHA512
3dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6

Download Submit
\Users\Admin\fmfkdnsm.nnd
MD5
5f36a28c2dcba68802994d1b4873e41e

SHA1
84ce20644fb36b7059d58125da8c900dbf73ba21

SHA256
42465a486e5d04b9bc0c8ae10c03c6145cf77f7afabd1b2871af7184e29f27a6

SHA512
3dd7582f8600fc35ff0a91e5caceae9d801a2b092e1657bfe56929283cb6b8c1382411223e043e9b7840a74f69f1bd9e04372ae693cf115a70d7c7fe5389dfd6

Download Submit
memory/684-60-0x000000002F971000-0x000000002F974000-memory.dmp

Filesize
12KB

Download
memory/684-61-0x00000000711F1000-0x00000000711F3000-memory.dmp

Filesize
8KB

Download
memory/684-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/820-67-0x0000000000000000-mapping.dmp

Download
memory/1560-63-0x0000000000000000-mapping.dmp

Download
memory/1560-64-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads