Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:52
Static task
static1
Behavioral task
behavioral1
Sample
catalog-1911367047.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
catalog-1911367047.xls
Resource
win10v20210408
General
-
Target
catalog-1911367047.xls
-
Size
367KB
-
MD5
3f61d6426515d7ac0ba8fdfb90ef78c2
-
SHA1
0c5c7265ad011416289b1d6a95c9581cab58033b
-
SHA256
5a4108e08f3a796a4e622fa488550b79139d45a80a6949449fc516713dbb728d
-
SHA512
b4409c6dde61d8d83803ae023ef8eed2f894ead6b30c54548e6b04b686f5b2e69bf440e4cd199c7eda69d8f324725013eb47387a9756a9f863cce0abbfdeef09
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2272 804 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3168 804 rundll32.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 804 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE 804 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 804 wrote to memory of 2272 804 EXCEL.EXE rundll32.exe PID 804 wrote to memory of 2272 804 EXCEL.EXE rundll32.exe PID 804 wrote to memory of 3168 804 EXCEL.EXE rundll32.exe PID 804 wrote to memory of 3168 804 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\catalog-1911367047.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\tuti.rut,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\tuti.rut1,DllRegisterServer2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/804-114-0x00007FF6011A0000-0x00007FF604756000-memory.dmpFilesize
53.7MB
-
memory/804-115-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmpFilesize
64KB
-
memory/804-116-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmpFilesize
64KB
-
memory/804-117-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmpFilesize
64KB
-
memory/804-118-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmpFilesize
64KB
-
memory/804-119-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmpFilesize
64KB
-
memory/804-122-0x00007FFB9CFE0000-0x00007FFB9E0CE000-memory.dmpFilesize
16.9MB
-
memory/804-123-0x00007FFB9B0E0000-0x00007FFB9CFD5000-memory.dmpFilesize
31.0MB
-
memory/2272-179-0x0000000000000000-mapping.dmp
-
memory/3168-180-0x0000000000000000-mapping.dmp