plan-515372324.xlsb

General
Target

plan-515372324.xlsb

Filesize

155KB

Completed

29-06-2021 22:07

Score
10/10
MD5

08e52afbefa423fb9f1ea0af88a4880e

SHA1

2d688dfee28f75553bc1d3633f891d2e70e0408b

SHA256

aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://khangland.pro/v8gEDeSB/sun.html

xlm40.dropper

https://jaipurbynite.com/stLdQs9R53/sun.htm
Signatures 7

Filter: none

Discovery
  • Process spawned unexpected child process
    regsvr32.exeregsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process31483236regsvr32.exeEXCEL.EXE
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process21923236regsvr32.exeEXCEL.EXE
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3236EXCEL.EXE
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3236EXCEL.EXE
    3236EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
    3236EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3236 wrote to memory of 38003236EXCEL.EXEsplwow64.exe
    PID 3236 wrote to memory of 38003236EXCEL.EXEsplwow64.exe
    PID 3236 wrote to memory of 31483236EXCEL.EXEregsvr32.exe
    PID 3236 wrote to memory of 31483236EXCEL.EXEregsvr32.exe
    PID 3236 wrote to memory of 21923236EXCEL.EXEregsvr32.exe
    PID 3236 wrote to memory of 21923236EXCEL.EXEregsvr32.exe
Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\plan-515372324.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:3800
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 ..\palpy1.dll
      Process spawned unexpected child process
      PID:3148
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 ..\palpy2.dll
      Process spawned unexpected child process
      PID:2192
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • memory/2192-181-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3148-180-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3236-114-0x00007FF6FE240000-0x00007FF7017F6000-memory.dmp

                          Download

                        • memory/3236-115-0x00007FFA08250000-0x00007FFA08260000-memory.dmp

                          Download

                        • memory/3236-116-0x00007FFA08250000-0x00007FFA08260000-memory.dmp

                          Download

                        • memory/3236-119-0x00007FFA08250000-0x00007FFA08260000-memory.dmp

                          Download

                        • memory/3236-122-0x00007FFA28EA0000-0x00007FFA29F8E000-memory.dmp

                          Download

                        • memory/3236-123-0x00007FFA26EE0000-0x00007FFA28DD5000-memory.dmp

                          Download

                        • memory/3236-117-0x00007FFA08250000-0x00007FFA08260000-memory.dmp

                          Download

                        • memory/3236-118-0x00007FFA08250000-0x00007FFA08260000-memory.dmp

                          Download

                        • memory/3800-179-0x0000000000000000-mapping.dmp

                          Download