3a8ac2f64fd8b15e4f88db0c54add4fd61e5c17dd5515ada898006169e2f99f2

General

Target

Calculation-1421113288-11202020.xls
Size

61KB
MD5

026e352321bacf5fb2cc6eb4002b26ae
SHA1

a27c9d892aeccb3759fbf71d21404befabbdd431
SHA256

3a8ac2f64fd8b15e4f88db0c54add4fd61e5c17dd5515ada898006169e2f99f2
SHA512

c488011641eeea64e4aa2458631b85ff7a855b89f34153f3f827d249d3022ac198d2a2a295bc210693777acd58349a77c0fe5483e9cd167d7de637c2c8dfd8fc

Score

10^/10

cryptone packer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1016	1880	rundll32.exe	EXCEL.EXE

CryptOne packer 5 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone

Loads dropped DLL 5 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1016 rundll32.exe
1016 rundll32.exe
1016 rundll32.exe
1016 rundll32.exe
1604 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1148 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1604	regsvr32.exe

pid	process
1148	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1880 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1016 rundll32.exe
1016 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1016 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE

pid	process
1880	EXCEL.EXE

pid	process
1016	rundll32.exe
1016	rundll32.exe

pid	process
1016	rundll32.exe

pid	process
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1880 wrote to memory of 1016	1880	EXCEL.EXE	rundll32.exe
PID 1016 wrote to memory of 1912	1016	rundll32.exe	explorer.exe
PID 1016 wrote to memory of 1912	1016	rundll32.exe	explorer.exe
PID 1016 wrote to memory of 1912	1016	rundll32.exe	explorer.exe
PID 1016 wrote to memory of 1912	1016	rundll32.exe	explorer.exe
PID 1016 wrote to memory of 1912	1016	rundll32.exe	explorer.exe
PID 1016 wrote to memory of 1912	1016	rundll32.exe	explorer.exe
PID 1912 wrote to memory of 1148	1912	explorer.exe	schtasks.exe
PID 1912 wrote to memory of 1148	1912	explorer.exe	schtasks.exe
PID 1912 wrote to memory of 1148	1912	explorer.exe	schtasks.exe
PID 1912 wrote to memory of 1148	1912	explorer.exe	schtasks.exe
PID 1028 wrote to memory of 1616	1028	taskeng.exe	regsvr32.exe
PID 1028 wrote to memory of 1616	1028	taskeng.exe	regsvr32.exe
PID 1028 wrote to memory of 1616	1028	taskeng.exe	regsvr32.exe
PID 1028 wrote to memory of 1616	1028	taskeng.exe	regsvr32.exe
PID 1028 wrote to memory of 1616	1028	taskeng.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1604	1616	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Calculation-1421113288-11202020.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rklaovuj /tr "regsvr32.exe -s \"C:\AutoCadest\AutoCadest2\Fiksat.dll\"" /SC ONCE /Z /ST 20:34 /ET 20:46
4⤵
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\taskeng.exe
taskeng.exe {5DA828A4-F8F3-49D8-8B25-77CD61B8436C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\AutoCadest\AutoCadest2\Fiksat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\AutoCadest\AutoCadest2\Fiksat.dll"
3⤵
- Loads dropped DLL
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoCadest\AutoCadest2\Fiksat.dll
MD5
6319f63c5db04ad54979b19df449f703

SHA1
3681b2bfae515ea1d6b9724d4e8ba14dfd53c95e

SHA256
6eb8888a3edd79b8c6e98d15868d10acdc736dd220441cefe2436bddb0b24ac4

SHA512
75398a91f8a9a44cc432f306259738c58ffd999473d354c3d07689a110c02449cd8d9561f7745a830eaecc4bef284c74727fdd02b418f3493ed169abfce885f5

Download Submit
C:\AutoCadest\AutoCadest2\Fiksat.dll
MD5
0bf8973bea6d4e7a739fdb548d4a8a8a

SHA1
83e295a8e10b22ffae875ddd5fe1996544ca422a

SHA256
13692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827

SHA512
7ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
6319f63c5db04ad54979b19df449f703

SHA1
3681b2bfae515ea1d6b9724d4e8ba14dfd53c95e

SHA256
6eb8888a3edd79b8c6e98d15868d10acdc736dd220441cefe2436bddb0b24ac4

SHA512
75398a91f8a9a44cc432f306259738c58ffd999473d354c3d07689a110c02449cd8d9561f7745a830eaecc4bef284c74727fdd02b418f3493ed169abfce885f5

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
0bf8973bea6d4e7a739fdb548d4a8a8a

SHA1
83e295a8e10b22ffae875ddd5fe1996544ca422a

SHA256
13692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827

SHA512
7ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
0bf8973bea6d4e7a739fdb548d4a8a8a

SHA1
83e295a8e10b22ffae875ddd5fe1996544ca422a

SHA256
13692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827

SHA512
7ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
0bf8973bea6d4e7a739fdb548d4a8a8a

SHA1
83e295a8e10b22ffae875ddd5fe1996544ca422a

SHA256
13692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827

SHA512
7ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
0bf8973bea6d4e7a739fdb548d4a8a8a

SHA1
83e295a8e10b22ffae875ddd5fe1996544ca422a

SHA256
13692b68a7fb451a5016d7ba8ed0bdf82c8fd074de9bafedf6e9252e4e75f827

SHA512
7ce2232240b2959e037a6dff0d847b92c7c39acb726e0ab29237bd37ce4ce0dddd45d8ab71c8aa9265ccc73bd252a00c758b87ad886a0d4812fa216d56d02dba

Download Submit
memory/1016-8-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1016-10-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/1016-1-0x0000000000000000-mapping.dmp

Download
memory/1148-11-0x0000000000000000-mapping.dmp

Download
memory/1604-15-0x0000000000000000-mapping.dmp

Download
memory/1616-13-0x0000000000000000-mapping.dmp

Download
memory/1912-9-0x0000000000000000-mapping.dmp

Download
memory/1912-12-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1912-7-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/2008-0-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads