Analysis
-
max time kernel
72s -
max time network
166s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-06-2021 16:54
Static task
static1
Behavioral task
behavioral1
Sample
document-37-1849.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
document-37-1849.xls
Resource
win10v20210410
General
-
Target
document-37-1849.xls
-
Size
187KB
-
MD5
c41a21a821bcdea1d3ab26ebef055eed
-
SHA1
912c8c1792dd33bac263df4b71242078d74741e9
-
SHA256
d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8
-
SHA512
ed665e9a7d3e950318628ad4ea112da063e4f156ea7d2d58fbeaa31cc2486c7d2debb779da72723d8f55bdec6b9a4b87f9d148c50b0a368c4bc5b59ac646a42a
Malware Config
Extracted
https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel
Signatures
-
DoubleBack
DoubleBack is a modular backdoor first seen in December 2020.
-
DoubleBack x64 Payload 2 IoCs
Processes:
resource yara_rule \ycjqFXSM\kO2NIybn\mozsqlite3.dll family_doubleback_x64 C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll family_doubleback_x64 -
DoubleBack x86 Payload 2 IoCs
Processes:
resource yara_rule \ycjqFXSM\kO2NIybn\mozsqlite3.dll family_doubleback_x86 C:\ycjqFXSM\kO2NIybn\mozsqlite3.dll family_doubleback_x86 -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1060 1832 cmd.exe EXCEL.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
pDImcT.exepid process 948 pDImcT.exe -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpDImcT.exepid process 1832 EXCEL.EXE 948 pDImcT.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1832 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1832 wrote to memory of 1060 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 1060 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 1060 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 1060 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 948 1832 EXCEL.EXE pDImcT.exe PID 1832 wrote to memory of 948 1832 EXCEL.EXE pDImcT.exe PID 1832 wrote to memory of 948 1832 EXCEL.EXE pDImcT.exe PID 1832 wrote to memory of 948 1832 EXCEL.EXE pDImcT.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-37-1849.xls1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe" C:\ycjqFXSM\kO2NIybn\pDImcT.exe2⤵
- Process spawned unexpected child process
PID:1060
-
-
C:\ycjqFXSM\kO2NIybn\pDImcT.exe"C:\ycjqFXSM\kO2NIybn\pDImcT.exe" C:\ycjqFXSM\kO2NIybn ALHJ zqtRI2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9171c8fc7d3b2aeb3763d477d5718b1d
SHA18a6363175e7d7d4726865334e3652dd0fc9de35c
SHA25683e0d55b4cd73be3bf89729408e8f62b1533becf3478ce5666317c3f4561ca0d
SHA512cabce59102c66e1e123ba84417dba93c7b993b69daf981d52b6a976e12a7dc802f770fb6ba1de4a3667a49b938463891d40d632b0d55d602dee3716a46a5a8d9
-
MD5
7f7f391491c315a4a72efcac0d34fa93
SHA120a18c7ea14f4e1d3044091b46d6e862b6f38708
SHA256022577f47fb074b7d942c8f01daac778b110a373de03b3b5043e887995b09d52
SHA51278d39d7fd02d4f6ca0e13d0eacadc842d5a104c31342202875f84a69c310ecf6d4dcc8f00e95b09de936922be0312cf956c5e955254a99113efb3f51e26c082e
-
MD5
7f7f391491c315a4a72efcac0d34fa93
SHA120a18c7ea14f4e1d3044091b46d6e862b6f38708
SHA256022577f47fb074b7d942c8f01daac778b110a373de03b3b5043e887995b09d52
SHA51278d39d7fd02d4f6ca0e13d0eacadc842d5a104c31342202875f84a69c310ecf6d4dcc8f00e95b09de936922be0312cf956c5e955254a99113efb3f51e26c082e
-
MD5
9171c8fc7d3b2aeb3763d477d5718b1d
SHA18a6363175e7d7d4726865334e3652dd0fc9de35c
SHA25683e0d55b4cd73be3bf89729408e8f62b1533becf3478ce5666317c3f4561ca0d
SHA512cabce59102c66e1e123ba84417dba93c7b993b69daf981d52b6a976e12a7dc802f770fb6ba1de4a3667a49b938463891d40d632b0d55d602dee3716a46a5a8d9
-
MD5
7f7f391491c315a4a72efcac0d34fa93
SHA120a18c7ea14f4e1d3044091b46d6e862b6f38708
SHA256022577f47fb074b7d942c8f01daac778b110a373de03b3b5043e887995b09d52
SHA51278d39d7fd02d4f6ca0e13d0eacadc842d5a104c31342202875f84a69c310ecf6d4dcc8f00e95b09de936922be0312cf956c5e955254a99113efb3f51e26c082e