c1ebcb47bf22a54b52dac5027a1c63a7ff12c4bfeebf0bd88c9e2b545ca47d31

Analysis

max time kernel
128s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/09/2022, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PM Office & All Government Departments - Digital Phone Directory (Official, Pers and Res contact numbers).xlam
Size

11.8MB
MD5

ec47ed99028ea439486fdc5b61f07813
SHA1

a19f5e22f7ee7e5234490d38323563a4765591fb
SHA256

8ef8a57f234afc6fe889e2b2b68214b1c1183125dbc5a8a0f1c0821a2a81deeb
SHA512

4fb71cb849f8998a7670f675ca99d291a3aa922325227e2723b53089dd9f90599d1df1812d2f247573d9a38ef8ed476d7d359c11b0a9e2cb39672fa7090c5753
SSDEEP

196608:dPW8V/bzX1au8eoWkplg4XrI2OTxO594EVvX/ht0uTrJtRBedpk1MXCb2kIsncGT:dO8V/bzD0XnYTSZDtBYm1MXCbiYcG9jt

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1648	2000	WScript.exe	27

Executes dropped EXE 3 IoCs

pid	Process
988	msword.exe
1864	igfxs.exe
1116	rgfx.exe

Loads dropped DLL 6 IoCs

pid	Process
1648	WScript.exe
988	msword.exe
988	msword.exe
988	msword.exe
988	msword.exe
1864	igfxs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	igfxs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgfx = "C:\\Users\\Admin\\AppData\\Roaming\\Office\\update\\Excel\\rgfx.exe"	igfxs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2000	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1864	igfxs.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2000	EXCEL.EXE
2000	EXCEL.EXE
2000	EXCEL.EXE
2000	EXCEL.EXE
2000	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1648	2000	EXCEL.EXE	28
PID 2000 wrote to memory of 1648	2000	EXCEL.EXE	28
PID 2000 wrote to memory of 1648	2000	EXCEL.EXE	28
PID 2000 wrote to memory of 1648	2000	EXCEL.EXE	28
PID 1648 wrote to memory of 988	1648	WScript.exe	29
PID 1648 wrote to memory of 988	1648	WScript.exe	29
PID 1648 wrote to memory of 988	1648	WScript.exe	29
PID 1648 wrote to memory of 988	1648	WScript.exe	29
PID 988 wrote to memory of 1864	988	msword.exe	30
PID 988 wrote to memory of 1864	988	msword.exe	30
PID 988 wrote to memory of 1864	988	msword.exe	30
PID 988 wrote to memory of 1864	988	msword.exe	30
PID 1864 wrote to memory of 1116	1864	igfxs.exe	31
PID 1864 wrote to memory of 1116	1864	igfxs.exe	31
PID 1864 wrote to memory of 1116	1864	igfxs.exe	31
PID 1864 wrote to memory of 1116	1864	igfxs.exe	31

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PM Office & All Government Departments - Digital Phone Directory (Official, Pers and Res contact numbers).xlam"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xps.vbs"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\msword.exe
    "C:\Users\Admin\AppData\Roaming\msword.exe" -p1Abc!@#%^&AlpBrvChrX12Soft%^
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe
      "C:\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Users\Admin\AppData\Roaming\Office\update\Excel\rgfx.exe
        
        C:\Users\Admin\AppData\Roaming\Office\update\Excel\rgfx.exe
        5⤵
        Executes dropped EXE
        
        PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Office\update\Excel\4

Filesize
353KB

MD5
a48ea641503172b26305b3c71963517e

SHA1
0a21c0c6c24b827ba1adb6b8288191651f9a9d5d

SHA256
1d2029be6ad0c453d19a7bb2099fbee2aef13d440bf43d5edd0f67c5598999d2

SHA512
0be350cc933e807b42cd5e80dd3f495d649a62193b20b6ef8d3786d272934e4d9918fbbc3a1bf4e023af09371ed10b15d09f336c65138d6de8d49a5f417522a9

Download Submit
C:\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe

Filesize
386KB

MD5
02ef66d0bc7e9ded40ea1cc1d14c10ae

SHA1
7d036b602ad03166528d6ea4c8878e4abbc7b61c

SHA256
99865b02f6b7afbf2e76525ab5214e6972f6d934b6c75d5e3e5d103dc41a2ef1

SHA512
98e78e2da3e5825f132e375e9cd2809e163e1e9d068fe35baf7ae30242935806f279acd5c437ab7f9d4bfb10bb93dd279e4ebc9aab767588ad16c3b80ae80b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Office\update\Excel\rgfx.exe

Filesize
353KB

MD5
a48ea641503172b26305b3c71963517e

SHA1
0a21c0c6c24b827ba1adb6b8288191651f9a9d5d

SHA256
1d2029be6ad0c453d19a7bb2099fbee2aef13d440bf43d5edd0f67c5598999d2

SHA512
0be350cc933e807b42cd5e80dd3f495d649a62193b20b6ef8d3786d272934e4d9918fbbc3a1bf4e023af09371ed10b15d09f336c65138d6de8d49a5f417522a9

Download Submit
C:\Users\Admin\AppData\Roaming\msword.exe

Filesize
1.9MB

MD5
0c250025237d2e6053ff2640198b4b4f

SHA1
20e1d833cfaa3610464730b35d553a356a55a047

SHA256
497b085a8c34d995444b6be44688dcb0e6d3a682f3bc607b7a002cb54fb45a27

SHA512
ea2a579aec7971ae37b28fce8920d6a6f6a180ca81747794796915b1138a75e57c71383d97d060ae995641a00e7b6b02d7e59c0c3efb847db7d7a1a54730c6cf

Download Submit
C:\Users\Admin\AppData\Roaming\msword.exe

Filesize
1.9MB

MD5
0c250025237d2e6053ff2640198b4b4f

SHA1
20e1d833cfaa3610464730b35d553a356a55a047

SHA256
497b085a8c34d995444b6be44688dcb0e6d3a682f3bc607b7a002cb54fb45a27

SHA512
ea2a579aec7971ae37b28fce8920d6a6f6a180ca81747794796915b1138a75e57c71383d97d060ae995641a00e7b6b02d7e59c0c3efb847db7d7a1a54730c6cf

Download Submit
C:\Users\Admin\AppData\Roaming\xps.vbs

Filesize
504B

MD5
e84c481ac171b2b73ad85cc2eeaaf034

SHA1
b0b53eff19678de3652c3711943e3a97feb65d7a

SHA256
024c9d62d3eaecacc5ec24e16c45b2fe6f800dafa452a30c534768837f4411e5

SHA512
b2930a3997805db1c25efb40ace14374b7c2d5ae398b386cbead839cec1be94b082d688529139f59daf6ea51fcdfb00c6030aab4fe5067891649eed6b344efab

Download Submit
\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe

Filesize
386KB

MD5
02ef66d0bc7e9ded40ea1cc1d14c10ae

SHA1
7d036b602ad03166528d6ea4c8878e4abbc7b61c

SHA256
99865b02f6b7afbf2e76525ab5214e6972f6d934b6c75d5e3e5d103dc41a2ef1

SHA512
98e78e2da3e5825f132e375e9cd2809e163e1e9d068fe35baf7ae30242935806f279acd5c437ab7f9d4bfb10bb93dd279e4ebc9aab767588ad16c3b80ae80b7d

Download Submit
\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe

Filesize
386KB

MD5
02ef66d0bc7e9ded40ea1cc1d14c10ae

SHA1
7d036b602ad03166528d6ea4c8878e4abbc7b61c

SHA256
99865b02f6b7afbf2e76525ab5214e6972f6d934b6c75d5e3e5d103dc41a2ef1

SHA512
98e78e2da3e5825f132e375e9cd2809e163e1e9d068fe35baf7ae30242935806f279acd5c437ab7f9d4bfb10bb93dd279e4ebc9aab767588ad16c3b80ae80b7d

Download Submit
\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe

Filesize
386KB

MD5
02ef66d0bc7e9ded40ea1cc1d14c10ae

SHA1
7d036b602ad03166528d6ea4c8878e4abbc7b61c

SHA256
99865b02f6b7afbf2e76525ab5214e6972f6d934b6c75d5e3e5d103dc41a2ef1

SHA512
98e78e2da3e5825f132e375e9cd2809e163e1e9d068fe35baf7ae30242935806f279acd5c437ab7f9d4bfb10bb93dd279e4ebc9aab767588ad16c3b80ae80b7d

Download Submit
\Users\Admin\AppData\Roaming\Office\update\Excel\igfxs.exe

Filesize
386KB

MD5
02ef66d0bc7e9ded40ea1cc1d14c10ae

SHA1
7d036b602ad03166528d6ea4c8878e4abbc7b61c

SHA256
99865b02f6b7afbf2e76525ab5214e6972f6d934b6c75d5e3e5d103dc41a2ef1

SHA512
98e78e2da3e5825f132e375e9cd2809e163e1e9d068fe35baf7ae30242935806f279acd5c437ab7f9d4bfb10bb93dd279e4ebc9aab767588ad16c3b80ae80b7d

Download Submit
\Users\Admin\AppData\Roaming\Office\update\Excel\rgfx.exe

Filesize
353KB

MD5
a48ea641503172b26305b3c71963517e

SHA1
0a21c0c6c24b827ba1adb6b8288191651f9a9d5d

SHA256
1d2029be6ad0c453d19a7bb2099fbee2aef13d440bf43d5edd0f67c5598999d2

SHA512
0be350cc933e807b42cd5e80dd3f495d649a62193b20b6ef8d3786d272934e4d9918fbbc3a1bf4e023af09371ed10b15d09f336c65138d6de8d49a5f417522a9

Download Submit
\Users\Admin\AppData\Roaming\msword.exe

Filesize
1.9MB

MD5
0c250025237d2e6053ff2640198b4b4f

SHA1
20e1d833cfaa3610464730b35d553a356a55a047

SHA256
497b085a8c34d995444b6be44688dcb0e6d3a682f3bc607b7a002cb54fb45a27

SHA512
ea2a579aec7971ae37b28fce8920d6a6f6a180ca81747794796915b1138a75e57c71383d97d060ae995641a00e7b6b02d7e59c0c3efb847db7d7a1a54730c6cf

Download Submit
memory/1116-354-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1116-353-0x00000000009E0000-0x0000000000A3E000-memory.dmp

Filesize
376KB

Download
memory/2000-348-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2000-54-0x000000002FC11000-0x000000002FC14000-memory.dmp

Filesize
12KB

Download
memory/2000-349-0x000000007235D000-0x0000000072368000-memory.dmp

Filesize
44KB

Download
memory/2000-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2000-204-0x000000007235D000-0x0000000072368000-memory.dmp

Filesize
44KB

Download
memory/2000-55-0x0000000071371000-0x0000000071373000-memory.dmp

Filesize
8KB

Download
memory/2000-57-0x000000007235D000-0x0000000072368000-memory.dmp

Filesize
44KB

Download
memory/2000-58-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download