c1f51a7e7f97a6699b8ee63a6de5f87d571ff066411a6f57bc204d62423f46ff

General

Target

c1f51a7e7f97a6699b8ee63a6de5f87d571ff066411a6f57bc204d62423f46ff.xls
Size

109KB
MD5

30755702c496612259b0b5bc51fcbcd8
SHA1

65819404eeacc0b52c256ef6a5b38f6eef5db51d
SHA256

c1f51a7e7f97a6699b8ee63a6de5f87d571ff066411a6f57bc204d62423f46ff
SHA512

632ffc01f0987c5801a8e3dac114fa1431e479d8b8b6d6317970e1d7c6339b32b4bbcac8283b8ab098a207f1bcce0a044bad85dfaac386c37a8c1f1f129e96b1
SSDEEP

3072:u71gxv7yZmspH7+cclKisUI4ukoRWGNtWVbrzQ7sWTkPxbww33XjUJtXwHek0:Q1gxv7yZmspH7+cclKisUI4ukoRWGNW+

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1540	1976	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1520	1976	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1676	1976	cmd.exe	EXCEL.EXE

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

1976 EXCEL.EXE
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1976	EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\A20E6000\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1976 EXCEL.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

1976 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1976 EXCEL.EXE
1976 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1976 EXCEL.EXE
1976 EXCEL.EXE
1976 EXCEL.EXE
1976 EXCEL.EXE
1976 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\A20E6000\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
1976	EXCEL.EXE

pid	process
1976	EXCEL.EXE

pid	process
1976	EXCEL.EXE
1976	EXCEL.EXE

pid	process
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1260	1976	EXCEL.EXE	splwow64.exe
PID 1976 wrote to memory of 1260	1976	EXCEL.EXE	splwow64.exe
PID 1976 wrote to memory of 1260	1976	EXCEL.EXE	splwow64.exe
PID 1976 wrote to memory of 1260	1976	EXCEL.EXE	splwow64.exe
PID 1976 wrote to memory of 1540	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1540	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1540	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1540	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1520	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1520	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1520	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1520	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1676	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1676	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1676	1976	EXCEL.EXE	cmd.exe
PID 1976 wrote to memory of 1676	1976	EXCEL.EXE	cmd.exe
PID 1540 wrote to memory of 912	1540	cmd.exe	attrib.exe
PID 1540 wrote to memory of 912	1540	cmd.exe	attrib.exe
PID 1540 wrote to memory of 912	1540	cmd.exe	attrib.exe
PID 1540 wrote to memory of 912	1540	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

912 attrib.exe

pid	process
912	attrib.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c1f51a7e7f97a6699b8ee63a6de5f87d571ff066411a6f57bc204d62423f46ff.xls
1⤵
- Deletes itself
- Enumerates system info in registry
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\attrib.exe
attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
3⤵
- Views/modifies file attributes
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
2⤵
- Process spawned unexpected child process
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
2⤵
- Process spawned unexpected child process
PID:1676

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-224-0x0000000000000000-mapping.dmp

Download
memory/1260-60-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download
memory/1260-59-0x0000000000000000-mapping.dmp

Download
memory/1520-222-0x0000000000000000-mapping.dmp

Download
memory/1540-221-0x0000000000000000-mapping.dmp

Download
memory/1676-223-0x0000000000000000-mapping.dmp

Download
memory/1976-66-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1976-62-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-63-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-64-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-65-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-54-0x000000002F611000-0x000000002F614000-memory.dmp

Filesize
12KB

Download
memory/1976-58-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1976-57-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download
memory/1976-61-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-55-0x0000000071AC1000-0x0000000071AC3000-memory.dmp

Filesize
8KB

Download
memory/1976-225-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download
memory/1976-270-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-271-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-272-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-383-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-384-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download
memory/1976-385-0x000000000058C000-0x0000000000595000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads