5457145d1709f6828a743ebe4ab34c74345647d7caca86d715db1cb52a7c596e

Analysis

max time kernel
1796s
max time network
1814s
platform
windows7_x64
resource
win7-en-20210920
submitted
15/10/2021, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Auszahlungen.xls
Size

108KB
MD5

413bd16983ee371d2955416354a17b2c
SHA1

80109e4a31a19fc5a93f69863354ecb23cea7027
SHA256

5457145d1709f6828a743ebe4ab34c74345647d7caca86d715db1cb52a7c596e
SHA512

1453e62285b816c090a048ed7f166301499aee6a7c62e3644e3483c32db3d8ecea962910b6e309d06dfd291a0b7e5ea3db16d1883130d9411dc264e97a2a138a

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	744	msiexec.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
948	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
948	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	948	EXCEL.EXE
Token: SeIncreaseQuotaPrivilege	948	EXCEL.EXE
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeSecurityPrivilege	744	msiexec.exe
Token: SeCreateTokenPrivilege	948	EXCEL.EXE
Token: SeAssignPrimaryTokenPrivilege	948	EXCEL.EXE
Token: SeLockMemoryPrivilege	948	EXCEL.EXE
Token: SeIncreaseQuotaPrivilege	948	EXCEL.EXE
Token: SeMachineAccountPrivilege	948	EXCEL.EXE
Token: SeTcbPrivilege	948	EXCEL.EXE
Token: SeSecurityPrivilege	948	EXCEL.EXE
Token: SeTakeOwnershipPrivilege	948	EXCEL.EXE
Token: SeLoadDriverPrivilege	948	EXCEL.EXE
Token: SeSystemProfilePrivilege	948	EXCEL.EXE
Token: SeSystemtimePrivilege	948	EXCEL.EXE
Token: SeProfSingleProcessPrivilege	948	EXCEL.EXE
Token: SeIncBasePriorityPrivilege	948	EXCEL.EXE
Token: SeCreatePagefilePrivilege	948	EXCEL.EXE
Token: SeCreatePermanentPrivilege	948	EXCEL.EXE
Token: SeBackupPrivilege	948	EXCEL.EXE
Token: SeRestorePrivilege	948	EXCEL.EXE
Token: SeShutdownPrivilege	948	EXCEL.EXE
Token: SeDebugPrivilege	948	EXCEL.EXE
Token: SeAuditPrivilege	948	EXCEL.EXE
Token: SeSystemEnvironmentPrivilege	948	EXCEL.EXE
Token: SeChangeNotifyPrivilege	948	EXCEL.EXE
Token: SeRemoteShutdownPrivilege	948	EXCEL.EXE
Token: SeUndockPrivilege	948	EXCEL.EXE
Token: SeSyncAgentPrivilege	948	EXCEL.EXE
Token: SeEnableDelegationPrivilege	948	EXCEL.EXE
Token: SeManageVolumePrivilege	948	EXCEL.EXE
Token: SeImpersonatePrivilege	948	EXCEL.EXE
Token: SeCreateGlobalPrivilege	948	EXCEL.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE
948	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Auszahlungen.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-56-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/948-53-0x000000002F8E1000-0x000000002F8E4000-memory.dmp

Filesize
12KB

Download
memory/948-54-0x0000000071A61000-0x0000000071A63000-memory.dmp

Filesize
8KB

Download
memory/948-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download