plan-515372324.xlsb

General
Target

plan-515372324.xlsb

Filesize

155KB

Completed

29-06-2021 22:07

Score
10/10
MD5

08e52afbefa423fb9f1ea0af88a4880e

SHA1

2d688dfee28f75553bc1d3633f891d2e70e0408b

SHA256

aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://khangland.pro/v8gEDeSB/sun.html

xlm40.dropper

https://jaipurbynite.com/stLdQs9R53/sun.htm
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Process spawned unexpected child process
    regsvr32.exeregsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process5921840regsvr32.exeEXCEL.EXE
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process12841840regsvr32.exeEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1840EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
    1840EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1840 wrote to memory of 16961840EXCEL.EXEsplwow64.exe
    PID 1840 wrote to memory of 16961840EXCEL.EXEsplwow64.exe
    PID 1840 wrote to memory of 16961840EXCEL.EXEsplwow64.exe
    PID 1840 wrote to memory of 16961840EXCEL.EXEsplwow64.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 5921840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
    PID 1840 wrote to memory of 12841840EXCEL.EXEregsvr32.exe
Processes 4
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\plan-515372324.xlsb
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:1696
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 ..\palpy1.dll
      Process spawned unexpected child process
      PID:592
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 ..\palpy2.dll
      Process spawned unexpected child process
      PID:1284
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads

                      • memory/592-65-0x0000000074D91000-0x0000000074D93000-memory.dmp

                        Download

                      • memory/592-69-0x0000000000170000-0x0000000000171000-memory.dmp

                        Download

                      • memory/592-64-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1284-66-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1284-68-0x00000000001E0000-0x00000000001E1000-memory.dmp

                        Download

                      • memory/1696-63-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

                        Download

                      • memory/1696-62-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1840-59-0x000000002FFD1000-0x000000002FFD4000-memory.dmp

                        Download

                      • memory/1840-60-0x0000000070E81000-0x0000000070E83000-memory.dmp

                        Download

                      • memory/1840-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

                        Download