8d6eb0ea0a37d5573bd7a306d12837a74dd2e68a597b42516784b3f2d23743e4

General

Target

Purchase Order-1245102021.xls
Size

60KB
MD5

c7bad1cde5a30aa2b665c62a1ebe3548
SHA1

e4cb443f698d32c572274f379e52e2c8e6296846
SHA256

8d6eb0ea0a37d5573bd7a306d12837a74dd2e68a597b42516784b3f2d23743e4
SHA512

1b083b95391f77b04c9f991a69d22d2f8ff74b227f85891723384090ad90a22dd357d1b8ebf3820a0c15afba216468ea3774e574c7352404d99772bb8c20172a

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1116 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

1116 EXCEL.EXE
1116 EXCEL.EXE
1116 EXCEL.EXE
1116 EXCEL.EXE
1116 EXCEL.EXE
1116 EXCEL.EXE

pid	process
1116	EXCEL.EXE

pid	process
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1116 wrote to memory of 1700	1116	EXCEL.EXE	splwow64.exe
PID 1116 wrote to memory of 1700	1116	EXCEL.EXE	splwow64.exe
PID 1116 wrote to memory of 1700	1116	EXCEL.EXE	splwow64.exe
PID 1116 wrote to memory of 1700	1116	EXCEL.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order-1245102021.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-59-0x000000002FB01000-0x000000002FB04000-memory.dmp

Filesize
12KB

Download
memory/1116-60-0x0000000071B01000-0x0000000071B03000-memory.dmp

Filesize
8KB

Download
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1700-62-0x0000000000000000-mapping.dmp

Download
memory/1700-63-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing