Analysis
-
max time kernel
148s -
max time network
58s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-07-2021 02:26
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_015275.xlsm
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Invoice_015275.xlsm
Resource
win10v20210408
General
-
Target
Invoice_015275.xlsm
-
Size
89KB
-
MD5
998a996a2371923b05250adc50f2c88c
-
SHA1
5dcff5955a7d6f0d5cb09074663feda9e8b6fe83
-
SHA256
c9843b6e4015374ff8049d9f0fed174a1aa690d7da3cb459922eae885006184a
-
SHA512
c627d06392672cb56f0e06f98f00f4918897b083a765da36f6869d466a6eedead1ffcc328965955346667768fdab6aeb8cf166539daf3036a53c5e6c75275259
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1284 1676 mshta.exe EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1676 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE 1676 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEmshta.exedescription pid process target process PID 1676 wrote to memory of 1284 1676 EXCEL.EXE mshta.exe PID 1676 wrote to memory of 1284 1676 EXCEL.EXE mshta.exe PID 1676 wrote to memory of 1284 1676 EXCEL.EXE mshta.exe PID 1676 wrote to memory of 1284 1676 EXCEL.EXE mshta.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe PID 1284 wrote to memory of 552 1284 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_015275.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta C:\ProgramData//theDialogOptionsCalculation.sct2⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\ProgramData\qScrollBar.dll,AddLookaside3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\theDialogOptionsCalculation.sctMD5
8206451e9ae57b8d68dfaa221be4ac68
SHA16518d1f303dffc52a9f940b211b7300eb33f0178
SHA256f03e8b823b0ee4420a82ee7e9594cddc3ffb38f04685846498a57808ab167d78
SHA512722e105e5545de54b3db97f9421933674bd20fbadde220fde126e046d0a571ed0db1fbb084cb5f790d9a889dcdfcfbab275bf5be6a5070a95eec935b2900915a
-
memory/552-65-0x0000000000000000-mapping.dmp
-
memory/1284-62-0x0000000000000000-mapping.dmp
-
memory/1284-63-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1676-59-0x000000002FC01000-0x000000002FC04000-memory.dmpFilesize
12KB
-
memory/1676-60-0x0000000071B01000-0x0000000071B03000-memory.dmpFilesize
8KB
-
memory/1676-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB