08e48cf8f56bbf002234fe4cccc13c7686c2e90a23c19317a2e6b91664888008

General

Target

08e48cf8f56bbf002234fe4cccc13c7686c2e90a23c19317a2e6b91664888008.xls
Size

109KB
MD5

6614c58611c37db1cf7da600fc1e7dfd
SHA1

327842dc3d7c3de41affa54af96f5b30f08161aa
SHA256

08e48cf8f56bbf002234fe4cccc13c7686c2e90a23c19317a2e6b91664888008
SHA512

271074efef677feac0963214dcabfd6e929509938f04bf6681fcbf330bf677628dfe7d4aaa11001076372a6549d6604f2d058171dfc87e852de86dbfd7ba0089
SSDEEP

1536:xfffC6G+VfJyQksFl6VJOufFtMTmFqmQGHR9EOfWVbT+zxXIzQ7ITkR62lUpkhYE:0RR9tWVbO4zQ7ITk9H2AJtXwN5kxh

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1780	656	cmd.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1012	656	cmd.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1884	656	cmd.exe	27

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
656	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
656	EXCEL.EXE
656	EXCEL.EXE
656	EXCEL.EXE
656	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1780	656	EXCEL.EXE	28
PID 656 wrote to memory of 1780	656	EXCEL.EXE	28
PID 656 wrote to memory of 1780	656	EXCEL.EXE	28
PID 656 wrote to memory of 1780	656	EXCEL.EXE	28
PID 656 wrote to memory of 1012	656	EXCEL.EXE	30
PID 656 wrote to memory of 1012	656	EXCEL.EXE	30
PID 656 wrote to memory of 1012	656	EXCEL.EXE	30
PID 656 wrote to memory of 1012	656	EXCEL.EXE	30
PID 656 wrote to memory of 1884	656	EXCEL.EXE	31
PID 656 wrote to memory of 1884	656	EXCEL.EXE	31
PID 656 wrote to memory of 1884	656	EXCEL.EXE	31
PID 656 wrote to memory of 1884	656	EXCEL.EXE	31
PID 1780 wrote to memory of 1384	1780	cmd.exe	34
PID 1780 wrote to memory of 1384	1780	cmd.exe	34
PID 1780 wrote to memory of 1384	1780	cmd.exe	34
PID 1780 wrote to memory of 1384	1780	cmd.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1384	attrib.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\08e48cf8f56bbf002234fe4cccc13c7686c2e90a23c19317a2e6b91664888008.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-75-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-61-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/656-54-0x000000002FAB1000-0x000000002FAB4000-memory.dmp

Filesize
12KB

Download
memory/656-58-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/656-79-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-62-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-77-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-60-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-63-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-64-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-65-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-66-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-67-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-69-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-70-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-71-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-72-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-73-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-74-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-57-0x0000000071E2D000-0x0000000071E38000-memory.dmp

Filesize
44KB

Download
memory/656-55-0x0000000070E41000-0x0000000070E43000-memory.dmp

Filesize
8KB

Download
memory/656-59-0x0000000071E2D000-0x0000000071E38000-memory.dmp

Filesize
44KB

Download
memory/656-80-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-82-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-83-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-81-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-84-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-86-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-85-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-78-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-76-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-68-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-87-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-88-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-110-0x000000000569C000-0x00000000056FF000-memory.dmp

Filesize
396KB

Download
memory/656-224-0x0000000071E2D000-0x0000000071E38000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads