c4b719a9c4be245f031da0e86defe002c8891828cbfe63ed15d3dc75655832b8

General

Target

5ίί.xls
Size

60KB
MD5

fea69535764564efcb07963a420dcb4b
SHA1

eb7762cc19a586e06594aed9804c1af7106d7ecd
SHA256

f3c4ff5ee8123f74d233f068a7186c8a22bcd1cdbe6475654345fc76870bd20f
SHA512

8c2e8f23b17e736ef0553c2590a0954a8fdfde461be107b6d0bf4d33ed72e8c1413d2ad26db320613574142779a8f8a2be24c3231db0974291c3638fb8d3ecaf
SSDEEP

1536:sIIIGxPTr6FaSkLu6pAJqNuYKl6Nc7yRzs1H75wkZUiEfClsQ6NqTBun5oAKG6EI:KKl6Nc7yRzs1H75wkZUgsQ6NqTBun5oE

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1120	1972	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1868	1972	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1292	1972	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	908	1972	explorer.exe	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 18 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1972 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1972 EXCEL.EXE
1972 EXCEL.EXE
1972 EXCEL.EXE

pid	process
1972	EXCEL.EXE

pid	process
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 1120	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1120	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1120	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1120	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1868	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1868	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1868	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1868	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1292	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1292	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1292	1972	EXCEL.EXE	cmd.exe
PID 1972 wrote to memory of 1292	1972	EXCEL.EXE	cmd.exe
PID 1120 wrote to memory of 1580	1120	cmd.exe	attrib.exe
PID 1120 wrote to memory of 1580	1120	cmd.exe	attrib.exe
PID 1120 wrote to memory of 1580	1120	cmd.exe	attrib.exe
PID 1120 wrote to memory of 1580	1120	cmd.exe	attrib.exe
PID 1972 wrote to memory of 908	1972	EXCEL.EXE	explorer.exe
PID 1972 wrote to memory of 908	1972	EXCEL.EXE	explorer.exe
PID 1972 wrote to memory of 908	1972	EXCEL.EXE	explorer.exe
PID 1972 wrote to memory of 908	1972	EXCEL.EXE	explorer.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1580 attrib.exe

pid	process
1580	attrib.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5ίί.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\attrib.exe
attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
3⤵
- Views/modifies file attributes
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
2⤵
- Process spawned unexpected child process
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
2⤵
- Process spawned unexpected child process
PID:1292

C:\Windows\SysWOW64\explorer.exe
explorer tencent://message/?uin=654486740
2⤵
- Process spawned unexpected child process
PID:908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-174-0x0000000000000000-mapping.dmp

Download
memory/1120-156-0x0000000000000000-mapping.dmp

Download
memory/1292-158-0x0000000000000000-mapping.dmp

Download
memory/1580-159-0x0000000000000000-mapping.dmp

Download
memory/1868-157-0x0000000000000000-mapping.dmp

Download
memory/1972-63-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-73-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-61-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-62-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-64-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-71-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-69-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-68-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-67-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-66-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-65-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-54-0x000000002F801000-0x000000002F804000-memory.dmp

Filesize
12KB

Download
memory/1972-70-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-72-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-74-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-59-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-76-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-75-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-77-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-78-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-91-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-104-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-117-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-60-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download
memory/1972-58-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1972-57-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download
memory/1972-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-160-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download
memory/1972-55-0x0000000071AC1000-0x0000000071AC3000-memory.dmp

Filesize
8KB

Download
memory/1972-250-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads