798bf407870be188d2a671f842358287b71cca38f0f80000f35cb996dcbfb48b

General

Target

Calculation-438711349-11202020.xls
Size

62KB
MD5

182d899cffb334cede36bd37a5fc5730
SHA1

9f8745527a3fe95eaa6ce0f37088791c88e4d30f
SHA256

90d873d4a311bcaff6c522cadd137c382aff572144cd2cee4f1873ec851ca8d7
SHA512

aaebd74aafb0f457152fad1e80b2a15fbcdaf85464616e6621dacb039a50b822da7e583492da64aabda1a9cfcedf7450b16a8304862a801f29ca3b6f9bc2e6ee

Score

10^/10

cryptone packer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1460	336	rundll32.exe	EXCEL.EXE

CryptOne packer 5 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone
\AutoCadest\AutoCadest2\Fiksat.dll	cryptone

Loads dropped DLL 5 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1460 rundll32.exe
1460 rundll32.exe
1460 rundll32.exe
1460 rundll32.exe
576 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1264 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1460	rundll32.exe
1460	rundll32.exe
1460	rundll32.exe
1460	rundll32.exe
576	regsvr32.exe

pid	process
1264	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

336 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1460 rundll32.exe
1460 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1460 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

336 EXCEL.EXE
336 EXCEL.EXE
336 EXCEL.EXE

pid	process
336	EXCEL.EXE

pid	process
1460	rundll32.exe
1460	rundll32.exe

pid	process
1460	rundll32.exe

pid	process
336	EXCEL.EXE
336	EXCEL.EXE
336	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 336 wrote to memory of 1460	336	EXCEL.EXE	rundll32.exe
PID 1460 wrote to memory of 928	1460	rundll32.exe	explorer.exe
PID 1460 wrote to memory of 928	1460	rundll32.exe	explorer.exe
PID 1460 wrote to memory of 928	1460	rundll32.exe	explorer.exe
PID 1460 wrote to memory of 928	1460	rundll32.exe	explorer.exe
PID 1460 wrote to memory of 928	1460	rundll32.exe	explorer.exe
PID 1460 wrote to memory of 928	1460	rundll32.exe	explorer.exe
PID 928 wrote to memory of 1264	928	explorer.exe	schtasks.exe
PID 928 wrote to memory of 1264	928	explorer.exe	schtasks.exe
PID 928 wrote to memory of 1264	928	explorer.exe	schtasks.exe
PID 928 wrote to memory of 1264	928	explorer.exe	schtasks.exe
PID 1560 wrote to memory of 1676	1560	taskeng.exe	regsvr32.exe
PID 1560 wrote to memory of 1676	1560	taskeng.exe	regsvr32.exe
PID 1560 wrote to memory of 1676	1560	taskeng.exe	regsvr32.exe
PID 1560 wrote to memory of 1676	1560	taskeng.exe	regsvr32.exe
PID 1560 wrote to memory of 1676	1560	taskeng.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 576	1676	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Calculation-438711349-11202020.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\AutoCadest\AutoCadest2\Fiksat.dll, DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn binszvymkl /tr "regsvr32.exe -s \"C:\AutoCadest\AutoCadest2\Fiksat.dll\"" /SC ONCE /Z /ST 16:01 /ET 16:13
4⤵
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\taskeng.exe
taskeng.exe {CDF8D331-50AF-4E31-B528-5DC875F2DBC2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\AutoCadest\AutoCadest2\Fiksat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\AutoCadest\AutoCadest2\Fiksat.dll"
3⤵
- Loads dropped DLL
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoCadest\AutoCadest2\Fiksat.dll
MD5
a4b16163e91557b97f4c4b3aa5a65370

SHA1
28f85dbb690645b8b5ddb3477284b9d6a634e0ee

SHA256
1f1dcdd297bf791cc6f0e06bd23ce64fd99e78b40f0b5f8f896233fbc41427b0

SHA512
efa5fb2f180c8b7c925bdc63aef5ea3ea10ac0563e8070a510af5579e233cc25aaa164ffd4bcb9908e1f5acd1e85994a4ebd8592058a073b173fee0a097277c3

Download Submit
C:\AutoCadest\AutoCadest2\Fiksat.dll
MD5
d6c770067c83a56c438b156f35be5b12

SHA1
7ec8853fd5189f5f604fcca5898410231d3ba109

SHA256
b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1

SHA512
a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
a4b16163e91557b97f4c4b3aa5a65370

SHA1
28f85dbb690645b8b5ddb3477284b9d6a634e0ee

SHA256
1f1dcdd297bf791cc6f0e06bd23ce64fd99e78b40f0b5f8f896233fbc41427b0

SHA512
efa5fb2f180c8b7c925bdc63aef5ea3ea10ac0563e8070a510af5579e233cc25aaa164ffd4bcb9908e1f5acd1e85994a4ebd8592058a073b173fee0a097277c3

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
d6c770067c83a56c438b156f35be5b12

SHA1
7ec8853fd5189f5f604fcca5898410231d3ba109

SHA256
b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1

SHA512
a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
d6c770067c83a56c438b156f35be5b12

SHA1
7ec8853fd5189f5f604fcca5898410231d3ba109

SHA256
b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1

SHA512
a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
d6c770067c83a56c438b156f35be5b12

SHA1
7ec8853fd5189f5f604fcca5898410231d3ba109

SHA256
b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1

SHA512
a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916

Download Submit
\AutoCadest\AutoCadest2\Fiksat.dll
MD5
d6c770067c83a56c438b156f35be5b12

SHA1
7ec8853fd5189f5f604fcca5898410231d3ba109

SHA256
b98feb7f25738bb91edd7178c1c99ea934e37330e52d4b115bc3cb2faaf117c1

SHA512
a55861175f97fdc3fc72ed723d8ce7f504c88f5320ce8c849e5bd69a7079f7cd3acc9d6ed1c4932bcc887a18287d3be810068a7456f4d2ab9c54dac89b8da916

Download Submit
memory/576-15-0x0000000000000000-mapping.dmp

Download
memory/928-7-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/928-9-0x0000000000000000-mapping.dmp

Download
memory/928-12-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1264-11-0x0000000000000000-mapping.dmp

Download
memory/1460-10-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/1460-8-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/1460-1-0x0000000000000000-mapping.dmp

Download
memory/1484-0-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

Filesize
2.5MB

Download
memory/1676-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads