0820a92cf03e8b51b7e802c47e66d58b44d6e3b4f3d2536ec380c7e2f7942c18

General

Target

0820a92cf03e8b51b7e802c47e66d58b44d6e3b4f3d2536ec380c7e2f7942c18.xls
Size

149KB
MD5

aab02933badbcc18e2437eb15d335b0a
SHA1

3ee06bb4f37ac9c8c4da7e79cb9aa6bcf056e339
SHA256

0820a92cf03e8b51b7e802c47e66d58b44d6e3b4f3d2536ec380c7e2f7942c18
SHA512

a53510f14cc033b57873f04a5e403c4529648e0800e142323d8885d63b2fc072e850d84086f3475a2ab96e97312588cd01d7114ed063a48f06ebb56c001a3ee3
SSDEEP

1536:Cvvvb+3TznlEGlGa4M1qaRWizJaF6l2Mrbz4jpLVD2DSCEZjdDEb9iobLP:J4M1qaRWG2Mrbz4jpLICR09iobLP

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3576	4824	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3016	4824	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1280	4824	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3676	4824	explorer.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 20 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEexplorer.exe

pid process

4824 EXCEL.EXE
4504 explorer.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXEexplorer.exe

pid	process
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4824	EXCEL.EXE
4504	explorer.exe
4504	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 4824 wrote to memory of 3576	4824	EXCEL.EXE	cmd.exe
PID 4824 wrote to memory of 3576	4824	EXCEL.EXE	cmd.exe
PID 4824 wrote to memory of 3016	4824	EXCEL.EXE	cmd.exe
PID 4824 wrote to memory of 3016	4824	EXCEL.EXE	cmd.exe
PID 4824 wrote to memory of 1280	4824	EXCEL.EXE	cmd.exe
PID 4824 wrote to memory of 1280	4824	EXCEL.EXE	cmd.exe
PID 4824 wrote to memory of 3676	4824	EXCEL.EXE	explorer.exe
PID 4824 wrote to memory of 3676	4824	EXCEL.EXE	explorer.exe
PID 3576 wrote to memory of 2032	3576	cmd.exe	attrib.exe
PID 3576 wrote to memory of 2032	3576	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2032 attrib.exe

pid	process
2032	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0820a92cf03e8b51b7e802c47e66d58b44d6e3b4f3d2536ec380c7e2f7942c18.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\attrib.exe
attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
3⤵
- Views/modifies file attributes
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
2⤵
- Process spawned unexpected child process
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"
2⤵
- Process spawned unexpected child process
PID:1280

C:\Windows\explorer.exe
explorer tencent://message/?uin=654486740
2⤵
- Process spawned unexpected child process
PID:3676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-141-0x0000000000000000-mapping.dmp

Download
memory/2032-143-0x0000000000000000-mapping.dmp

Download
memory/3016-140-0x0000000000000000-mapping.dmp

Download
memory/3576-139-0x0000000000000000-mapping.dmp

Download
memory/3676-142-0x0000000000000000-mapping.dmp

Download
memory/4824-136-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-138-0x00007FF8A76C0000-0x00007FF8A76D0000-memory.dmp

Filesize
64KB

Download
memory/4824-137-0x00007FF8A76C0000-0x00007FF8A76D0000-memory.dmp

Filesize
64KB

Download
memory/4824-132-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-135-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-134-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-133-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-144-0x000002AD76716000-0x000002AD76718000-memory.dmp

Filesize
8KB

Download
memory/4824-145-0x000002AD76716000-0x000002AD76718000-memory.dmp

Filesize
8KB

Download
memory/4824-147-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-149-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-148-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download
memory/4824-150-0x00007FF8A9F90000-0x00007FF8A9FA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads