Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-07-2021 20:46
Static task
static1
Behavioral task
behavioral1
Sample
c77cd6616dedbf3669345842f7231830.xls
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c77cd6616dedbf3669345842f7231830.xls
Resource
win10v20210408
General
-
Target
c77cd6616dedbf3669345842f7231830.xls
-
Size
661KB
-
MD5
c77cd6616dedbf3669345842f7231830
-
SHA1
2a1bd1b6e7048c8e051fcc95707a6f2e6bc61b88
-
SHA256
f4643ab52e51d05bce715ec6d0baae09ef15763318928c1ed8d3c24b72df3602
-
SHA512
b036233b58e2fa6c5c2732e692340fc89e04614606903cd4aaa5ddd80950d35dc1d570c46a1fb48b4618e05dd3629da5662652743915ed33d60f2d7ae29c0ed5
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2028 1676 mshta.exe EXCEL.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exeflow pid process 3 2028 mshta.exe 6 2028 mshta.exe 9 2028 mshta.exe 11 2028 mshta.exe 13 2028 mshta.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1676 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1676 wrote to memory of 2028 1676 EXCEL.EXE mshta.exe PID 1676 wrote to memory of 2028 1676 EXCEL.EXE mshta.exe PID 1676 wrote to memory of 2028 1676 EXCEL.EXE mshta.exe PID 1676 wrote to memory of 2028 1676 EXCEL.EXE mshta.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c77cd6616dedbf3669345842f7231830.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//klDYMFormat.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:2028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bdaa2a11f77d89d3f5e81f9d17fb3b87
SHA10ae03773f2dfde92f8a58d03226462d178a8c85e
SHA2565f0a0616ea02e338125ad190bdfa6e8fb6f2a8f4f5845252a8b5422bd283cd88
SHA512b06f4d5627fa0d27c9e1aaa45597d92edec4e103413dc92719c4162e8de3a06022e471dbd283a6b1e9da466b10315b67c8faf74215d2213d8ae2fa0ae42a53ed