bf3f46097c7766605ef2b6744d7ce077b1bb58cdccc17166e85882fc6403b38b

Analysis

max time kernel
101s
max time network
59s
platform
windows7_x64
resource
win7v20210410
submitted
20-07-2021 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3.xls
Size

712KB
MD5

01db26749ca18d3d1cadcdb367ac18ca
SHA1

6eb78092e667f7375177e5da42bd302a4e00c670
SHA256

8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3
SHA512

f31aecdb134bd0f0177e4466aa3fe540b4518f3e95a6c8e4549d609bf99e13ea7ee051e030664d57a5d0b20ec848407e5dbd58c2a69130d015c8099f248439a4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1744	1932	mshta.exe	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1932 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE

pid	process
1932	EXCEL.EXE

pid	process
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1932 wrote to memory of 1744	1932	EXCEL.EXE	mshta.exe
PID 1932 wrote to memory of 1744	1932	EXCEL.EXE	mshta.exe
PID 1932 wrote to memory of 1744	1932	EXCEL.EXE	mshta.exe
PID 1932 wrote to memory of 1744	1932	EXCEL.EXE	mshta.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\mshta.exe
mshta "C:\ProgramData\qDialogPrint.sct"
2⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qDialogPrint.sct
MD5
452d54472649b3023138ab5fa473958a

SHA1
e0f841e2ba26c252d4c8d6d9c56e0da3cdb25131

SHA256
9467fcd384ca2d5a4726d2fb29e68678c57626fd77391c2e090f0fea3a2ff946

SHA512
6c837738d02b3a99e11214f95aae504b33f658dd85aea4181faf155b52294324474ec52f277ad7614f6c0c911629ee9118d3bb395337816a07e9a1b158240867

Download Submit
memory/1744-62-0x0000000000000000-mapping.dmp

Download
memory/1932-59-0x000000002F1C1000-0x000000002F1C4000-memory.dmp

Filesize
12KB

Download
memory/1932-60-0x0000000070DA1000-0x0000000070DA3000-memory.dmp

Filesize
8KB

Download
memory/1932-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1932-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download