Analysis
-
max time kernel
92s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 04:42
Static task
static1
Behavioral task
behavioral1
Sample
cs_obfuscated_vba.xlsm
Resource
win10v20201028
General
-
Target
cs_obfuscated_vba.xlsm
-
Size
21KB
-
MD5
e4b23adf2b3e3edfe8a979ee5d49be20
-
SHA1
b12f90b483e2f5053ecd5fb8ea2bc5ddf4d3ae11
-
SHA256
f8bdea32972751166ba44ca7cc6d89851912d34422e770abb525d55dfac9077e
-
SHA512
ddb2287198d7e82369a03fc742e1ea040f74dd83f5162db00f0a37234ee58cbab321f859b722aefe0dd8e4df99df5179d63022e04ae9cc2b4852c4fb24c65b43
Malware Config
Extracted
metasploit
windows/download_exec
http://resources.healthmade.org:80/thumb/preview.gif
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Extracted
cobaltstrike
http://resources.healthmade.org:80/__utm.gif
-
access_type
512
-
beacon_type
0
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
resources.healthmade.org,/__utm.gif
-
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
7680
-
maxdns
0
-
month
0
- pipe_name
-
polling_time
30000
-
port_number
80
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpRrJXGxXzjCf2S2A1wbdkekxgKbnifIIayLRat08R6vjjTxcWEeZrDjY0U7bl4LJSGOAZRwV9m/P5VqFGU6N8Zufhz2wCiag/oTNSDQNVJn+ijTEtdfkS0nMXEry5AkH6k7AG8BYszdU4CofCRJdRnh6dixXclrdyCMFL9p04gwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.71092736e+08
-
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.9665394e+07
-
uri
/___utm.gif
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4432 4772 explorer.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4772 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe PID 4772 wrote to memory of 4432 4772 EXCEL.EXE explorer.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cs_obfuscated_vba.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4432-7-0x0000000002E80000-0x0000000002E81000-memory.dmpFilesize
4KB
-
memory/4432-9-0x0000000005120000-0x0000000005520000-memory.dmpFilesize
4.0MB
-
memory/4772-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-5-0x00007FFBE4380000-0x00007FFBE49B7000-memory.dmpFilesize
6.2MB
-
memory/4772-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-10-0x00007FF73FDA0000-0x00007FF743356000-memory.dmpFilesize
53.7MB
-
memory/4772-11-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-12-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-13-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-14-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB