cc52d91938a2d4d9f3db132746cb37e07c69d86fdedd2d049bfbee725e865a61

Analysis

max time kernel
152s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc52d91938a2d4d9f3db132746cb37e07c69d86fdedd2d049bfbee725e865a61.xls
Size

98KB
MD5

1fbcd87ffd5b5a6291f31eee20a218f0
SHA1

b8f8024f5f46914c8341107d60b83ec8922b4a9a
SHA256

cc52d91938a2d4d9f3db132746cb37e07c69d86fdedd2d049bfbee725e865a61
SHA512

2282a1411c12c66c7d64791483bf990d0c0c0415dc6f44579478268cb57f2c13c0635fa0b35f3e593fe55d9cc8c47b55df4e80b0cf698ddf21c951e86d6a8ad2
SSDEEP

1536:P+++1GwTpN1c8r7MwPv+cEVyTKuEMnxoc2CQIgVPfPu5h0fBOY3Gwm2qolmt9I+Q:hPHBOYdX+1c9zl7Las/xd

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1356 EXCEL.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EXCEL.EXE

pid process

1356 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1356 EXCEL.EXE
1356 EXCEL.EXE
1356 EXCEL.EXE
1356 EXCEL.EXE
1356 EXCEL.EXE

pid	process
1356	EXCEL.EXE

pid	process
1356	EXCEL.EXE

pid	process
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1356 wrote to memory of 1524	1356	EXCEL.EXE	splwow64.exe
PID 1356 wrote to memory of 1524	1356	EXCEL.EXE	splwow64.exe
PID 1356 wrote to memory of 1524	1356	EXCEL.EXE	splwow64.exe
PID 1356 wrote to memory of 1524	1356	EXCEL.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cc52d91938a2d4d9f3db132746cb37e07c69d86fdedd2d049bfbee725e865a61.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-54-0x000000002F9E1000-0x000000002F9E4000-memory.dmp

Filesize
12KB

Download
memory/1356-55-0x0000000071331000-0x0000000071333000-memory.dmp

Filesize
8KB

Download
memory/1356-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1356-57-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/1356-58-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1356-61-0x000000006CC61000-0x000000006CC63000-memory.dmp

Filesize
8KB

Download
memory/1356-62-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/1524-59-0x0000000000000000-mapping.dmp

Download
memory/1524-60-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download