Analysis
-
max time kernel
141s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 08:15
Behavioral task
behavioral1
Sample
d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027.xls
Resource
win10v2004-20220812-en
General
-
Target
d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027.xls
-
Size
280KB
-
MD5
840be98d178832a8b2f18becc1edb2b7
-
SHA1
4167a8c9cf810ad04881da59462f94893f278bbc
-
SHA256
d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027
-
SHA512
0fb40061e3080913dea6167ce0f7f786cdb6ab5dc571197a1bb05bd14526d8cd0a3aa52143fa3662b45c97222cd1eb5845ca4b2f5d7e889ee4b507f52ff66fa2
-
SSDEEP
6144:CfOMS9QCYkKTCl2AZRcRvvMVwtPYaUIDrIuqQl6A5Xoq5R:CfxtCsWaOytPYZlI6q5
Malware Config
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1540 3224 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4100 3224 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3884 3224 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3476 3224 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3764 3224 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2672 3224 cmd.exe EXCEL.EXE -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule \??\c:\norma1.xlm office_macro_on_action -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1612 attrib.exe 2512 attrib.exe -
Processes:
resource yara_rule \??\c:\norma1.xlm office_xlm_macros -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet.exe = "internet.exe" EXCEL.EXE -
Drops file in System32 directory 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Windows\System32\internet.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3224 EXCEL.EXE 3972 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3972 WINWORD.EXE 3972 WINWORD.EXE 3972 WINWORD.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE 3224 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3224 wrote to memory of 1540 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 1540 3224 EXCEL.EXE cmd.exe PID 1540 wrote to memory of 5108 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 5108 1540 cmd.exe attrib.exe PID 3224 wrote to memory of 4100 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 4100 3224 EXCEL.EXE cmd.exe PID 4100 wrote to memory of 3900 4100 cmd.exe attrib.exe PID 4100 wrote to memory of 3900 4100 cmd.exe attrib.exe PID 3224 wrote to memory of 3884 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 3884 3224 EXCEL.EXE cmd.exe PID 3884 wrote to memory of 4052 3884 cmd.exe extrac32.exe PID 3884 wrote to memory of 4052 3884 cmd.exe extrac32.exe PID 3224 wrote to memory of 3476 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 3476 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 3764 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 3764 3224 EXCEL.EXE cmd.exe PID 3764 wrote to memory of 1612 3764 cmd.exe attrib.exe PID 3764 wrote to memory of 1612 3764 cmd.exe attrib.exe PID 3224 wrote to memory of 2672 3224 EXCEL.EXE cmd.exe PID 3224 wrote to memory of 2672 3224 EXCEL.EXE cmd.exe PID 2672 wrote to memory of 2512 2672 cmd.exe attrib.exe PID 2672 wrote to memory of 2512 2672 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 2512 attrib.exe 5108 attrib.exe 3900 attrib.exe 1612 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027.xls"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib -s -h c:\setflag.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\attrib.exeattrib -s -h c:\setflag.exe3⤵
- Views/modifies file attributes
PID:5108 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib -s -h c:\sendto.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\attrib.exeattrib -s -h c:\sendto.exe3⤵
- Views/modifies file attributes
PID:3900 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c extrac32 /E /Y /L c:\ c:\cab.cab2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\system32\extrac32.exeextrac32 /E /Y /L c:\ c:\cab.cab3⤵PID:4052
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c extract /E /Y /L c:\ c:\cab.cab2⤵
- Process spawned unexpected child process
PID:3476 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +s +h c:\setflag.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\system32\attrib.exeattrib +s +h c:\setflag.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1612 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +s +h c:\sendto.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\attrib.exeattrib +s +h c:\sendto.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2512
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\sendto.exeFilesize
20KB
MD556bafcef305ce46d847421edd6eec04b
SHA1e6e31dda260fee10b63c4dd297b433749ea7ac07
SHA2563c6d90fdf13ef66dd36631796cd50db01dfb8e2db5b472c45202513ab816f272
SHA512c78210f40daa6e2827d1280eaca5ae22cf036d20ff802826171cfdaf2b64a011f32c8689eec174d3375e197b240e4c92a2fb466b01c66a96e9276cd1de160e20
-
C:\setflag.exeFilesize
32KB
MD5a4f9be8517afb4c5d9c63960a5faf258
SHA16d3300bfc43b191819f687df91bfbe2c6294d6bb
SHA25678b6db289832df709d17fd5c49359ddfb9cacaa8303cd77290427bac4c829ba2
SHA512c6c918bc91ed645553245cc640ed66882af264035732b8a8c2682f14a9c8f183c38837c1b3e62ca7d16e1560e6bc2a4273b41c9614a046752928c9a0c45ecb2e
-
\??\c:\cab.cabFilesize
70KB
MD55a876443f36ca54efae1c723041435c0
SHA17ebd6188c3df725008209b7d24f914b2b3ce0a6c
SHA25602397a86f99f98f212adee047d25c56fa6644a3cf6058ddb0da0221d708f1ee9
SHA512a065a1ed747b8348c49c909e7186da584a3f01bca4652b154d5f7f88c4de15c5f0c03884db5cf33bca9035944cf5c7bc6983571301dd0fa4d7c298942887a149
-
\??\c:\internet.exeFilesize
24KB
MD5072ca9f791665febeacda1be1e71a124
SHA120d6d75ef7e06c72b43a2e3be81f5ceab11a1a5a
SHA256692bfa3ca595a0ed57dd1d5fa6652332162c90ea0c9b8c9b32ddbebbec063f3d
SHA5123cd1c0727085dcc054b1c9111c934fef3473d57a91e1e247418a220e35c59e495282740621d6c9c01c86a39ad4e5c79d7d95dbd289e25f044cfad1f616d52290
-
\??\c:\norma1.xlmFilesize
68KB
MD53f08a7010fe4ea32b210b7919448ada6
SHA1c7bc3bb8f78ef217b83c593542b5c4cf602746a2
SHA256506260a97f723ce79e3243b651dc8af1c3fcdbf72431be60b1a0afbab8d2dce9
SHA512be8ac3dcb6574e6876c2f8d2e40c1c6ad75ca611275ccc73c7283f6b17f3956c16c14d9dfa10e36576011baa691378a8ce6115e380b821a2d6f549ea46567b4c
-
\??\c:\normal.dotFilesize
103KB
MD526ab77fe4d542805e0afdc9d0efc92c2
SHA1332dc776b13e8f04809a312183ef9532ea2b18d3
SHA2561cb2d969e56664ddc1f496c63e424cbe1ce2f560f8350f4ffa451f0fc03006d9
SHA512ef439dbbe390eb175bd9970d76827a6b506b88a4db7cda233d8b6591b22e3c7a454cbb8111ca78dbbd6b195c91aa89c7d0c9df952052d3471eb07ac80f98b89a
-
memory/1540-139-0x0000000000000000-mapping.dmp
-
memory/1612-158-0x0000000000000000-mapping.dmp
-
memory/2512-162-0x0000000000000000-mapping.dmp
-
memory/2672-161-0x0000000000000000-mapping.dmp
-
memory/3224-138-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmpFilesize
64KB
-
memory/3224-136-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3224-133-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3224-134-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3224-132-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3224-137-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmpFilesize
64KB
-
memory/3224-135-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3476-146-0x0000000000000000-mapping.dmp
-
memory/3764-157-0x0000000000000000-mapping.dmp
-
memory/3884-143-0x0000000000000000-mapping.dmp
-
memory/3900-142-0x0000000000000000-mapping.dmp
-
memory/3972-153-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmpFilesize
64KB
-
memory/3972-154-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmpFilesize
64KB
-
memory/3972-164-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3972-165-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3972-166-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/3972-167-0x00007FF862050000-0x00007FF862060000-memory.dmpFilesize
64KB
-
memory/4052-144-0x0000000000000000-mapping.dmp
-
memory/4100-141-0x0000000000000000-mapping.dmp
-
memory/5108-140-0x0000000000000000-mapping.dmp