Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 11:12
Static task
static1
Behavioral task
behavioral1
Sample
PO 17774.xls
Resource
win7v200722
General
-
Target
PO 17774.xls
-
Size
183KB
-
MD5
7689c98d5db51db149591210ad24c4ff
-
SHA1
4419b76003f333925f4cf84b5e679ff64d7d6d08
-
SHA256
6031b6aeab0b8c5111938e3c0819e717858aa3586bcdacea994d980ac36c5368
-
SHA512
e6eab1c3b21e3f4fd76cebd9bc849ed07eec2c26bc4df5605a3628702abc8d3b099589acaf89cc8334448bcbc25ddc3810d8ea2d0f18009e343dbc8c1124db5b
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost32.exesvchost32.exemsdt.exeCookiesyz3du.exeCookiesyz3du.exepid process 3188 svchost32.exe 3188 svchost32.exe 664 svchost32.exe 664 svchost32.exe 664 svchost32.exe 664 svchost32.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 2788 Cookiesyz3du.exe 2788 Cookiesyz3du.exe 708 Cookiesyz3du.exe 708 Cookiesyz3du.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE 716 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 716 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
EXCEL.EXEExplorer.EXEpid process 716 EXCEL.EXE 716 EXCEL.EXE 2984 Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
svchost32.exesvchost32.exemsdt.exeCookiesyz3du.exedescription pid process target process PID 3188 set thread context of 664 3188 svchost32.exe svchost32.exe PID 664 set thread context of 2984 664 svchost32.exe Explorer.EXE PID 3188 set thread context of 2984 3188 msdt.exe Explorer.EXE PID 2788 set thread context of 708 2788 Cookiesyz3du.exe Cookiesyz3du.exe -
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/664-8-0x0000000000400000-0x0000000000427000-memory.dmp formbook behavioral2/memory/664-8-0x0000000000400000-0x0000000000427000-memory.dmp formbook behavioral2/memory/664-9-0x000000000041C220-mapping.dmp formbook behavioral2/memory/3188-11-0x0000000000000000-mapping.dmp formbook behavioral2/memory/708-27-0x000000000041C220-mapping.dmp formbook -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
EXCEL.EXEsvchost32.exeExplorer.EXEmsdt.exeCookiesyz3du.exedescription pid process target process PID 716 wrote to memory of 3188 716 EXCEL.EXE svchost32.exe PID 716 wrote to memory of 3188 716 EXCEL.EXE svchost32.exe PID 716 wrote to memory of 3188 716 EXCEL.EXE svchost32.exe PID 3188 wrote to memory of 664 3188 svchost32.exe svchost32.exe PID 3188 wrote to memory of 664 3188 svchost32.exe svchost32.exe PID 3188 wrote to memory of 664 3188 svchost32.exe svchost32.exe PID 2984 wrote to memory of 3188 2984 Explorer.EXE msdt.exe PID 2984 wrote to memory of 3188 2984 Explorer.EXE msdt.exe PID 2984 wrote to memory of 3188 2984 Explorer.EXE msdt.exe PID 3188 wrote to memory of 644 3188 msdt.exe cmd.exe PID 3188 wrote to memory of 644 3188 msdt.exe cmd.exe PID 3188 wrote to memory of 644 3188 msdt.exe cmd.exe PID 3188 wrote to memory of 1844 3188 msdt.exe cmd.exe PID 3188 wrote to memory of 1844 3188 msdt.exe cmd.exe PID 3188 wrote to memory of 1844 3188 msdt.exe cmd.exe PID 3188 wrote to memory of 2076 3188 msdt.exe Firefox.exe PID 3188 wrote to memory of 2076 3188 msdt.exe Firefox.exe PID 3188 wrote to memory of 2076 3188 msdt.exe Firefox.exe PID 2984 wrote to memory of 2788 2984 Explorer.EXE Cookiesyz3du.exe PID 2984 wrote to memory of 2788 2984 Explorer.EXE Cookiesyz3du.exe PID 2984 wrote to memory of 2788 2984 Explorer.EXE Cookiesyz3du.exe PID 2788 wrote to memory of 708 2788 Cookiesyz3du.exe Cookiesyz3du.exe PID 2788 wrote to memory of 708 2788 Cookiesyz3du.exe Cookiesyz3du.exe PID 2788 wrote to memory of 708 2788 Cookiesyz3du.exe Cookiesyz3du.exe -
Executes dropped EXE 4 IoCs
Processes:
svchost32.exesvchost32.exeCookiesyz3du.exeCookiesyz3du.exepid process 3188 svchost32.exe 664 svchost32.exe 2788 Cookiesyz3du.exe 708 Cookiesyz3du.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
svchost32.exeExplorer.EXEmsdt.exeCookiesyz3du.exedescription pid process Token: SeDebugPrivilege 664 svchost32.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeDebugPrivilege 3188 msdt.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeDebugPrivilege 708 Cookiesyz3du.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
svchost32.exesvchost32.exemsdt.exeCookiesyz3du.exepid process 3188 svchost32.exe 664 svchost32.exe 664 svchost32.exe 664 svchost32.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 3188 msdt.exe 2788 Cookiesyz3du.exe -
Drops file in Program Files directory 4 IoCs
Processes:
msdt.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe msdt.exe File opened for modification C:\Program Files (x86)\Anfd0 Explorer.EXE File created C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TXSPDXMXCNY = "C:\\Program Files (x86)\\Anfd0\\Cookiesyz3du.exe" msdt.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO 17774.xls"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\svchost32.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe"C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe"C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe
-
C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe
-
C:\Program Files (x86)\Anfd0\Cookiesyz3du.exe
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Public\svchost32.exe
-
C:\Users\Public\svchost32.exe
-
C:\Users\Public\svchost32.exe
-
memory/644-14-0x0000000000000000-mapping.dmp
-
memory/664-9-0x000000000041C220-mapping.dmp
-
memory/664-8-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/708-27-0x000000000041C220-mapping.dmp
-
memory/716-0-0x00000126E0DFB000-0x00000126E0E00000-memory.dmpFilesize
20KB
-
memory/716-2-0x00000126E0DFB000-0x00000126E0E00000-memory.dmpFilesize
20KB
-
memory/716-1-0x00000126E0DFB000-0x00000126E0E00000-memory.dmpFilesize
20KB
-
memory/716-3-0x00000126E0E00000-0x00000126E0E05000-memory.dmpFilesize
20KB
-
memory/716-4-0x00000126E0DFB000-0x00000126E0E00000-memory.dmpFilesize
20KB
-
memory/1844-16-0x0000000000000000-mapping.dmp
-
memory/2076-22-0x00007FF66CCD0000-0x00007FF66CD63000-memory.dmpFilesize
588KB
-
memory/2076-19-0x0000000000000000-mapping.dmp
-
memory/2076-20-0x00007FF66CCD0000-0x00007FF66CD63000-memory.dmpFilesize
588KB
-
memory/2076-21-0x00007FF66CCD0000-0x00007FF66CD63000-memory.dmpFilesize
588KB
-
memory/2788-23-0x0000000000000000-mapping.dmp
-
memory/3188-13-0x00000000000A0000-0x0000000000213000-memory.dmpFilesize
1.4MB
-
memory/3188-18-0x00000000032A0000-0x00000000033A2000-memory.dmpFilesize
1.0MB
-
memory/3188-15-0x0000000005A20000-0x0000000005B52000-memory.dmpFilesize
1.2MB
-
memory/3188-12-0x00000000000A0000-0x0000000000213000-memory.dmpFilesize
1.4MB
-
memory/3188-11-0x0000000000000000-mapping.dmp
-
memory/3188-5-0x0000000000000000-mapping.dmp