Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 08:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
-
Size
25KB
-
MD5
d68eb2a0c4ef9306e93e7f993544bbfe
-
SHA1
a503bfdf64589003faeee0857cb9808fdc659dea
-
SHA256
f026659380293aebc45bc97cd4aeee19c96e8ae5b88673283f2ed113bed4110f
-
SHA512
460306fa32c29a3c3e0ff74c33e2399e454668589d7786e28770804d1a11dd787f994829ad7c772ee259219133a362aabcacac67e5936dbc5357864b9cc9c949
Malware Config
Extracted
metasploit
windows/download_exec
http://resources.healthmade.org:80/thumb/preview.gif
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Extracted
cobaltstrike
http://resources.healthmade.org:80/__utm.gif
-
access_type
512
-
beacon_type
0
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
resources.healthmade.org,/__utm.gif
-
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
7680
-
maxdns
0
-
month
0
- pipe_name
-
polling_time
30000
-
port_number
80
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpRrJXGxXzjCf2S2A1wbdkekxgKbnifIIayLRat08R6vjjTxcWEeZrDjY0U7bl4LJSGOAZRwV9m/P5VqFGU6N8Zufhz2wCiag/oTNSDQNVJn+ijTEtdfkS0nMXEry5AkH6k7AG8BYszdU4CofCRJdRnh6dixXclrdyCMFL9p04gwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.71092736e+08
-
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.9665394e+07
-
uri
/___utm.gif
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSBuild.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2672 3996 MSBuild.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3996 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXEMSBuild.execsc.exedescription pid process target process PID 3996 wrote to memory of 2672 3996 EXCEL.EXE MSBuild.exe PID 3996 wrote to memory of 2672 3996 EXCEL.EXE MSBuild.exe PID 3996 wrote to memory of 2672 3996 EXCEL.EXE MSBuild.exe PID 2672 wrote to memory of 1784 2672 MSBuild.exe csc.exe PID 2672 wrote to memory of 1784 2672 MSBuild.exe csc.exe PID 2672 wrote to memory of 1784 2672 MSBuild.exe csc.exe PID 1784 wrote to memory of 2604 1784 csc.exe cvtres.exe PID 1784 wrote to memory of 2604 1784 csc.exe cvtres.exe PID 1784 wrote to memory of 2604 1784 csc.exe cvtres.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Admin\Documents\template.xml2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF0.tmp" "c:\Users\Admin\AppData\Local\Temp\d4yulwqk\CSCE949B34C95B04726B1A18783527FFC3.TMP"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7DF0.tmpMD5
8a625e8fe5d77fed9f37ece65c7a176b
SHA17a9c622b8b946f9f69be9f301bd2f415faf97296
SHA256522044e80cf7f0559912a34cb7fa1ba3ae618938ca2e59d068c490b49646c1c5
SHA51247ee4035423efa253ca9ab5a26320f64c9ec7c127d47ef47eccd37b77d2f48caa72ed388892a7434014a22763a13d18ebe5e0c66df4e7139be06f042ae19bc28
-
C:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.dllMD5
4ebc488120e8cd113a2d214a1dc5ab9b
SHA1f2ce65613003b9ad4dd9dba8cd22804b2bf7485f
SHA256d68596a5559887faac550f5d37d62ddc5de432cd7cc43fab348bcece3b22a705
SHA51210fbe2bc8fd45920682ec09239f8c1536e8342584882f61503a0d6abd494e42bcdb61c8357ad53ddf995db0a1f35a8e52bb547c4a3cebb529b1e0e472bb908b0
-
C:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.pdbMD5
cf14291afbc1f5cb432426ca399c8fba
SHA1742dfdf9b9f23a6f923a79db6f03d9d110ee0bf7
SHA256707acfc8485a51b9a8928a902e4d5e2cdb32b015a1bb3f4763abf75baa453ea5
SHA512f168f4ded1e50c07c01bb89a17907641c1c05535031c1c4fa7d49a459a54d3c3f4d568f2af255421e516c3e0dc73c79ad7db5cb1137589c0b93c92f67de93f0c
-
C:\Users\Admin\Documents\template.xmlMD5
798ab3936c2e1043fdb1e22559e20632
SHA1142b7c353881800cb4a415bb0edf33e0bac0e2b5
SHA256ddb8cebd9406dcfc78dfa6471f603c3f6518d055983477c955934f38de088242
SHA512aac2382181be42edc0397302a2d85c41cb9bddbf6b6a031e3470254f90cfc4173e629a569f696c29f802acb80250b45fa368ee66c567a64c8160b3f85b1d09bc
-
\??\c:\Users\Admin\AppData\Local\Temp\d4yulwqk\CSCE949B34C95B04726B1A18783527FFC3.TMPMD5
ad137a4a2f2d1ef73f8f29642f5cacbb
SHA16d358159f52238ff09647a7024ee3ff43c1677af
SHA2565e511fe8df9e444cee3930f6396eb72981a8a905f1910da244b8071c042c36a5
SHA512335ba06599d0be66562fe58838b0d9f0e4e3a1269f95125340a0348a9db4d84f54ce70639f0bebb41f799407d2afa1d6ce34b43495d5c3343bae669156aaa44a
-
\??\c:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.0.csMD5
b8b482aab01645e96a2d4b90b184a117
SHA117e0651c870e73b2f637efd8a9b5b77f9a8ac657
SHA256588fcb3c48884352073316b139665924bff0f72eb9e0a8b26b664efc78d36a51
SHA51224cc4e0c2b7810e15d9e7e2fb3625b0fe0138b85df4fb276424ca5f184fb1805e9d609815d60a2bb4ca52dbba648cb2635207cfc1be71eb3a6ffd704c9e95d69
-
\??\c:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.cmdlineMD5
3ec2d12b0f08e316138d4cda89fcb88b
SHA18ff6e4803c8aaa9d42440f64c3edc648ac1429dd
SHA25634936d63734ed38e723c6a60319334fbcdbb2c1f7733c154c39a74ec2d809fac
SHA5120ef50c3b1a408294482ac41abea8f4831fd26f1d3c4501896882381c9f95ca5a9abdd6a04b70649fe2c5d3a50356af452807d6bcdb5bdf1598670a14c4c776a0
-
memory/1784-22-0x0000000000000000-mapping.dmp
-
memory/2604-25-0x0000000000000000-mapping.dmp
-
memory/2672-9-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2672-21-0x00000000069D0000-0x00000000069D1000-memory.dmpFilesize
4KB
-
memory/2672-13-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/2672-11-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/2672-15-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/2672-17-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/2672-20-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/2672-30-0x0000000005EA0000-0x0000000005EA2000-memory.dmpFilesize
8KB
-
memory/2672-10-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/2672-12-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/2672-8-0x00000000739C0000-0x00000000740AE000-memory.dmpFilesize
6.9MB
-
memory/2672-7-0x0000000000000000-mapping.dmp
-
memory/2672-32-0x0000000006960000-0x0000000006D60000-memory.dmpFilesize
4.0MB
-
memory/2672-31-0x0000000005EB0000-0x0000000005EB1000-memory.dmpFilesize
4KB
-
memory/3996-2-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmpFilesize
64KB
-
memory/3996-3-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmpFilesize
64KB
-
memory/3996-4-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmpFilesize
64KB
-
memory/3996-5-0x00007FFC33A00000-0x00007FFC34037000-memory.dmpFilesize
6.2MB
-
memory/3996-6-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmpFilesize
64KB