f4643ab52e51d05bce715ec6d0baae09ef15763318928c1ed8d3c24b72df3602

General

Target

c77cd6616dedbf3669345842f7231830.xls
Size

661KB
MD5

c77cd6616dedbf3669345842f7231830
SHA1

2a1bd1b6e7048c8e051fcc95707a6f2e6bc61b88
SHA256

f4643ab52e51d05bce715ec6d0baae09ef15763318928c1ed8d3c24b72df3602
SHA512

b036233b58e2fa6c5c2732e692340fc89e04614606903cd4aaa5ddd80950d35dc1d570c46a1fb48b4618e05dd3629da5662652743915ed33d60f2d7ae29c0ed5

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2028	1676	mshta.exe	EXCEL.EXE

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

3 2028 mshta.exe
6 2028 mshta.exe
9 2028 mshta.exe
11 2028 mshta.exe
13 2028 mshta.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
3	2028	mshta.exe
6	2028	mshta.exe
9	2028	mshta.exe
11	2028	mshta.exe
13	2028	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1676 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1676 EXCEL.EXE
1676 EXCEL.EXE
1676 EXCEL.EXE
1676 EXCEL.EXE
1676 EXCEL.EXE

pid	process
1676	EXCEL.EXE

pid	process
1676	EXCEL.EXE
1676	EXCEL.EXE
1676	EXCEL.EXE
1676	EXCEL.EXE
1676	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1676 wrote to memory of 2028	1676	EXCEL.EXE	mshta.exe
PID 1676 wrote to memory of 2028	1676	EXCEL.EXE	mshta.exe
PID 1676 wrote to memory of 2028	1676	EXCEL.EXE	mshta.exe
PID 1676 wrote to memory of 2028	1676	EXCEL.EXE	mshta.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c77cd6616dedbf3669345842f7231830.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\mshta.exe
mshta C:\ProgramData//klDYMFormat.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\klDYMFormat.sct
MD5
bdaa2a11f77d89d3f5e81f9d17fb3b87

SHA1
0ae03773f2dfde92f8a58d03226462d178a8c85e

SHA256
5f0a0616ea02e338125ad190bdfa6e8fb6f2a8f4f5845252a8b5422bd283cd88

SHA512
b06f4d5627fa0d27c9e1aaa45597d92edec4e103413dc92719c4162e8de3a06022e471dbd283a6b1e9da466b10315b67c8faf74215d2213d8ae2fa0ae42a53ed

Download Submit
memory/1676-59-0x000000002F751000-0x000000002F754000-memory.dmp

Filesize
12KB

Download
memory/1676-60-0x00000000716F1000-0x00000000716F3000-memory.dmp

Filesize
8KB

Download
memory/1676-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1676-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads