Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 08:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
-
Size
25KB
-
MD5
d68eb2a0c4ef9306e93e7f993544bbfe
-
SHA1
a503bfdf64589003faeee0857cb9808fdc659dea
-
SHA256
f026659380293aebc45bc97cd4aeee19c96e8ae5b88673283f2ed113bed4110f
-
SHA512
460306fa32c29a3c3e0ff74c33e2399e454668589d7786e28770804d1a11dd787f994829ad7c772ee259219133a362aabcacac67e5936dbc5357864b9cc9c949
Malware Config
Extracted
metasploit
windows/download_exec
http://resources.healthmade.org:80/thumb/preview.gif
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Extracted
cobaltstrike
http://resources.healthmade.org:80/__utm.gif
-
access_type
512
-
beacon_type
0
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
resources.healthmade.org,/__utm.gif
-
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
7680
-
maxdns
0
-
month
0
- pipe_name
-
polling_time
30000
-
port_number
80
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpRrJXGxXzjCf2S2A1wbdkekxgKbnifIIayLRat08R6vjjTxcWEeZrDjY0U7bl4LJSGOAZRwV9m/P5VqFGU6N8Zufhz2wCiag/oTNSDQNVJn+ijTEtdfkS0nMXEry5AkH6k7AG8BYszdU4CofCRJdRnh6dixXclrdyCMFL9p04gwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.71092736e+08
-
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.9665394e+07
-
uri
/___utm.gif
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSBuild.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1716 296 MSBuild.exe EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 296 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 296 EXCEL.EXE 296 EXCEL.EXE 296 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEMSBuild.execsc.exedescription pid process target process PID 296 wrote to memory of 1716 296 EXCEL.EXE MSBuild.exe PID 296 wrote to memory of 1716 296 EXCEL.EXE MSBuild.exe PID 296 wrote to memory of 1716 296 EXCEL.EXE MSBuild.exe PID 296 wrote to memory of 1716 296 EXCEL.EXE MSBuild.exe PID 1716 wrote to memory of 1348 1716 MSBuild.exe csc.exe PID 1716 wrote to memory of 1348 1716 MSBuild.exe csc.exe PID 1716 wrote to memory of 1348 1716 MSBuild.exe csc.exe PID 1716 wrote to memory of 1348 1716 MSBuild.exe csc.exe PID 1348 wrote to memory of 1512 1348 csc.exe cvtres.exe PID 1348 wrote to memory of 1512 1348 csc.exe cvtres.exe PID 1348 wrote to memory of 1512 1348 csc.exe cvtres.exe PID 1348 wrote to memory of 1512 1348 csc.exe cvtres.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Admin\Documents\template.xml2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2166.tmp" "c:\Users\Admin\AppData\Local\Temp\52qdswze\CSCCB79ED0A12E84724AF5BFCE83F4E10F3.TMP"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.dllMD5
6599e5e62269b8f8a7f94900d583f135
SHA1a110b554f57bc07f6bf680b7011ea7a78ddea628
SHA256ecc385f6f9a3954b36b1d57d6c56061d0fb208b472d403e31c246d540c9e7e8b
SHA5126b4834d247b5a54b49b239d55fc26a031bea72e5b0a342d5e6955d4caa8037796fa267c5f8e537dee9d5f2791764bc48a46e4cd63a4d735a1812ffd6ec5dc8de
-
C:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.pdbMD5
f9467e01875ab2b69589f4cbd59062fb
SHA17e78060718968594d7a415d22b7f1ae04acceea7
SHA2560b00a20b87fc07efb3e073778ddf8da16aac181b1f254ca1c9f84e9593277db9
SHA51215718633bc2d5b13adc9f33148a535e19ee5a941c941fc8a52448342134bd4606c06f186f48e751be1dc3df8bed107da22b1ff52c818a419eb42e58d6f0bd326
-
C:\Users\Admin\AppData\Local\Temp\RES2166.tmpMD5
922927a95ed11ae2d8a996c9fa868c5a
SHA192d186e0edd6afe110fad40c8eb0b3f519c91add
SHA256524606e55ad27e25852cbd780957b9348c1ed66b9102c5057116c258082fe233
SHA5123bde2f67728940f5ec318a65f8afbfb457b081beb0460ca5d266f8cda975cf6e1a92845b61db34593e826088d13db20c48ae4ea55639bfd9025de3f44dd73721
-
C:\Users\Admin\Documents\template.xmlMD5
798ab3936c2e1043fdb1e22559e20632
SHA1142b7c353881800cb4a415bb0edf33e0bac0e2b5
SHA256ddb8cebd9406dcfc78dfa6471f603c3f6518d055983477c955934f38de088242
SHA512aac2382181be42edc0397302a2d85c41cb9bddbf6b6a031e3470254f90cfc4173e629a569f696c29f802acb80250b45fa368ee66c567a64c8160b3f85b1d09bc
-
\??\c:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.0.csMD5
b8b482aab01645e96a2d4b90b184a117
SHA117e0651c870e73b2f637efd8a9b5b77f9a8ac657
SHA256588fcb3c48884352073316b139665924bff0f72eb9e0a8b26b664efc78d36a51
SHA51224cc4e0c2b7810e15d9e7e2fb3625b0fe0138b85df4fb276424ca5f184fb1805e9d609815d60a2bb4ca52dbba648cb2635207cfc1be71eb3a6ffd704c9e95d69
-
\??\c:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.cmdlineMD5
f20891ff1bc3bb8c8ecf65ec9aa373ec
SHA10e72a3d58bcc0cf2a1564fe81f9834f4793321e1
SHA256bd0a1831f0b3bf03d7e9cac2e77be8019f14980331010c0d6a4168194d1c4d2c
SHA5123a44ac81185237f45e386526f247f8a8d299459b6a098605162e206f6dedb6cc41f26fc521965ce7105a45ed64e31f1d78922e8128cebe015003f6725ac9ef7b
-
\??\c:\Users\Admin\AppData\Local\Temp\52qdswze\CSCCB79ED0A12E84724AF5BFCE83F4E10F3.TMPMD5
5473e1485182f59e1ec30fea5e8ad2da
SHA179a606bf2b4f92686a72e4806add6668596e9896
SHA256ba71a1950abc79fbf05283b92d8ba9140a449043b5bb8e12f0757e41d3913cb2
SHA512863f0c34b02b4bf6c5c78d86339df74917db2685586242119ab9820dd4ab54ea76c35fa68f254b1b5f6eca9508e44493f8d8f13fa31b18ba2526e172e267e066
-
memory/284-26-0x000007FEF7850000-0x000007FEF7ACA000-memory.dmpFilesize
2.5MB
-
memory/296-2-0x000000002F911000-0x000000002F914000-memory.dmpFilesize
12KB
-
memory/296-3-0x0000000071771000-0x0000000071773000-memory.dmpFilesize
8KB
-
memory/296-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1348-15-0x0000000000000000-mapping.dmp
-
memory/1512-19-0x0000000000000000-mapping.dmp
-
memory/1716-11-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/1716-14-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1716-13-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1716-18-0x0000000004250000-0x0000000004251000-memory.dmpFilesize
4KB
-
memory/1716-12-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/1716-5-0x0000000000000000-mapping.dmp
-
memory/1716-24-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/1716-6-0x000000006C4B0000-0x000000006CB9E000-memory.dmpFilesize
6.9MB
-
memory/1716-10-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1716-9-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/1716-25-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1716-7-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/1716-27-0x00000000063F0000-0x00000000067F0000-memory.dmpFilesize
4.0MB