64f8921376f7e680cf53e889b99b418b6970a491b32305ce994ef919aef64445

General

Target

CompensationClaim-1190633265-11242020.xls
Size

61KB
MD5

b66c611239f82ee9b04051591ddedcc9
SHA1

57d36b574cd37f069ffa513f533e31e7a12aa79b
SHA256

64f8921376f7e680cf53e889b99b418b6970a491b32305ce994ef919aef64445
SHA512

756cb685765abc96444d6b8f0b1891c25ba54690337066ac8d7bcd65c404ae4cf9b1bef8edc525c2da9674c8893b8a59f34faa8b7900e190541fc757b6e3dd9e

Score

10^/10

cryptone packer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1996	1640	regsvr32.exe	EXCEL.EXE

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\LotWin\LotWin2\Horsew.dll	cryptone
\LotWin\LotWin2\Horsew.dll	cryptone

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1996 regsvr32.exe
1928 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

624 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1996	regsvr32.exe
1928	regsvr32.exe

pid	process
624	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1640 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1996 regsvr32.exe
1996 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1996 regsvr32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1640 EXCEL.EXE
1640 EXCEL.EXE
1640 EXCEL.EXE

pid	process
1640	EXCEL.EXE

pid	process
1996	regsvr32.exe
1996	regsvr32.exe

pid	process
1996	regsvr32.exe

pid	process
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXEregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1640 wrote to memory of 1996	1640	EXCEL.EXE	regsvr32.exe
PID 1996 wrote to memory of 1096	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1096	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1096	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1096	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1096	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1096	1996	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 624	1096	explorer.exe	schtasks.exe
PID 1096 wrote to memory of 624	1096	explorer.exe	schtasks.exe
PID 1096 wrote to memory of 624	1096	explorer.exe	schtasks.exe
PID 1096 wrote to memory of 624	1096	explorer.exe	schtasks.exe
PID 1900 wrote to memory of 936	1900	taskeng.exe	regsvr32.exe
PID 1900 wrote to memory of 936	1900	taskeng.exe	regsvr32.exe
PID 1900 wrote to memory of 936	1900	taskeng.exe	regsvr32.exe
PID 1900 wrote to memory of 936	1900	taskeng.exe	regsvr32.exe
PID 1900 wrote to memory of 936	1900	taskeng.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1928	936	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CompensationClaim-1190633265-11242020.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe -s C:\LotWin\LotWin2\Horsew.dll
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn udpaholxx /tr "regsvr32.exe -s \"C:\LotWin\LotWin2\Horsew.dll\"" /SC ONCE /Z /ST 20:41 /ET 20:53
4⤵
- Creates scheduled task(s)
PID:624

C:\Windows\system32\taskeng.exe
taskeng.exe {B470E606-F539-479A-AC9A-B530D11B2862} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\LotWin\LotWin2\Horsew.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\LotWin\LotWin2\Horsew.dll"
3⤵
- Loads dropped DLL
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LotWin\LotWin2\Horsew.dll
MD5
c1eeb475e0bf6a5c68873befeea19be0

SHA1
6adb663067e8efec6693221a63dbf011988b7d38

SHA256
e77ef249d102b01c3bcaa2fc76d2532636b5139e37717ba931714439a7ba4c47

SHA512
4ab014f165c2d9bcdf3d96ca436521e6a6d2a5eee237ef2a8ec17b4c2205e59ef7bee946caa6cb8d600ba6a0bd56d26a00b5436efc14f7df849fb5d05e7f8cc7

Download Submit
C:\LotWin\LotWin2\Horsew.dll
MD5
20ce0b3701a345cbcfe5b1832f0b857e

SHA1
daf8ff3e0f0645e34c8e5b3c5b91d3e51b1ce098

SHA256
c016a44c17e23114afae688dfeb2f91bba0c965bdffc97c7181a21e38ef848e7

SHA512
48eafd57cf2fb6dd8b602a4252f629de2ecba68afe001da1f4df77f2a95fcfcf94be9af9f22e26c64138854a96432b7722e87cf3583472e84a3a5934a2a72484

Download Submit
\LotWin\LotWin2\Horsew.dll
MD5
c1eeb475e0bf6a5c68873befeea19be0

SHA1
6adb663067e8efec6693221a63dbf011988b7d38

SHA256
e77ef249d102b01c3bcaa2fc76d2532636b5139e37717ba931714439a7ba4c47

SHA512
4ab014f165c2d9bcdf3d96ca436521e6a6d2a5eee237ef2a8ec17b4c2205e59ef7bee946caa6cb8d600ba6a0bd56d26a00b5436efc14f7df849fb5d05e7f8cc7

Download Submit
\LotWin\LotWin2\Horsew.dll
MD5
20ce0b3701a345cbcfe5b1832f0b857e

SHA1
daf8ff3e0f0645e34c8e5b3c5b91d3e51b1ce098

SHA256
c016a44c17e23114afae688dfeb2f91bba0c965bdffc97c7181a21e38ef848e7

SHA512
48eafd57cf2fb6dd8b602a4252f629de2ecba68afe001da1f4df77f2a95fcfcf94be9af9f22e26c64138854a96432b7722e87cf3583472e84a3a5934a2a72484

Download Submit
memory/624-8-0x0000000000000000-mapping.dmp

Download
memory/936-10-0x0000000000000000-mapping.dmp

Download
memory/1096-6-0x0000000000000000-mapping.dmp

Download
memory/1096-4-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/1096-9-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1392-0-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1928-12-0x0000000000000000-mapping.dmp

Download
memory/1996-7-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/1996-5-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/1996-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads