Analysis
-
max time kernel
148s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-03-2021 12:53
Static task
static1
Behavioral task
behavioral1
Sample
Copia_de_pago_12_03.xlsm
Resource
win7v20201028
General
-
Target
Copia_de_pago_12_03.xlsm
-
Size
197KB
-
MD5
b5192b8607edf0e0d159f5510576cf24
-
SHA1
ea830c1f6a158b362cdfd7a1c9ac250efe2143bf
-
SHA256
03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c
-
SHA512
3d5548ddb32670faf5df4a5a74c8c766268990c9cd4edafe41b739f352beb0c9927b89abefdc248a65f1f224622d8681d6ba85468331831ca7e0a519e642b4c4
Malware Config
Extracted
xloader
http://www.basiclablife.com/8zdn/
yourherogarden.net
onlineharambee.net
cerrajeriaurgencias24horas.com
distritoforex.com
verifyclientserverssr.com
dandwg.com
co2-zero.global
joshssl.com
meckwt.com
theammf.com
rawclectic.com
gzgnetwork.com
richmondavenuecoc.com
nicolelyte.com
thetinyclosetboutique.com
llt-group.net
seven-sky-design.com
joganifinancialgrp.com
elementsvapes.com
bingent.info
quaichshop.net
unethicalsgsblaw.com
matts.digital
lexafit.com
covidwanderings.com
pk972.com
fanashaadivine.com
winharadesigns.com
adosignite.com
goldengatesimmigration.com
unazampanelcuore.com
gasexecutive.com
sdps365.net
worthingtonminnesota.com
ducatsupply.com
beijinghui1.icu
hn-bet.com
homeforsalesteamboat.com
tiaozaoxinlingshou.net
mrbils.net
depuitycollector.com
winningovereating.com
usedonlyrvs.com
verbinoz.com
threepocketmedia.com
lizbing.com
fivestardogfoods.com
edevercal.net
irisettelment.com
beautyphernalia.com
terrawindglobalprotection.net
floridaindian.com
kidzistore.com
kulisbet117.com
logingatech.info
ftdk.net
lawwise.legal
bruthawar.com
lemonpublishing.com
6781529.com
zfxsotc.com
shroomsdrop.com
ahm-app.com
finesilversmith.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1552 1020 cscript.exe EXCEL.EXE -
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1312-31-0x000000000041D020-mapping.dmp xloader behavioral1/memory/1188-43-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
cscript.execscript.exeflow pid process 4 1552 cscript.exe 5 1132 cscript.exe -
Executes dropped EXE 2 IoCs
Processes:
putty.exeputty.exepid process 1636 putty.exe 1312 putty.exe -
Loads dropped DLL 1 IoCs
Processes:
cscript.exepid process 1552 cscript.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
putty.exeputty.exemstsc.exedescription pid process target process PID 1636 set thread context of 1312 1636 putty.exe putty.exe PID 1312 set thread context of 1200 1312 putty.exe Explorer.EXE PID 1312 set thread context of 1200 1312 putty.exe Explorer.EXE PID 1188 set thread context of 1200 1188 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1020 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
putty.exemstsc.exepid process 1312 putty.exe 1312 putty.exe 1312 putty.exe 1188 mstsc.exe 1188 mstsc.exe 1188 mstsc.exe 1188 mstsc.exe 1188 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
putty.exemstsc.exepid process 1312 putty.exe 1312 putty.exe 1312 putty.exe 1312 putty.exe 1188 mstsc.exe 1188 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
putty.exemstsc.exedescription pid process Token: SeDebugPrivilege 1312 putty.exe Token: SeDebugPrivilege 1188 mstsc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
EQNEDT32.EXEcmD.exewscript.execmd.exeEXCEL.EXEcscript.exeputty.exeExplorer.EXEmstsc.exedescription pid process target process PID 2012 wrote to memory of 1244 2012 EQNEDT32.EXE cmD.exe PID 2012 wrote to memory of 1244 2012 EQNEDT32.EXE cmD.exe PID 2012 wrote to memory of 1244 2012 EQNEDT32.EXE cmD.exe PID 2012 wrote to memory of 1244 2012 EQNEDT32.EXE cmD.exe PID 1244 wrote to memory of 276 1244 cmD.exe wscript.exe PID 1244 wrote to memory of 276 1244 cmD.exe wscript.exe PID 1244 wrote to memory of 276 1244 cmD.exe wscript.exe PID 1244 wrote to memory of 276 1244 cmD.exe wscript.exe PID 276 wrote to memory of 1744 276 wscript.exe cmd.exe PID 276 wrote to memory of 1744 276 wscript.exe cmd.exe PID 276 wrote to memory of 1744 276 wscript.exe cmd.exe PID 276 wrote to memory of 1744 276 wscript.exe cmd.exe PID 1744 wrote to memory of 1132 1744 cmd.exe cscript.exe PID 1744 wrote to memory of 1132 1744 cmd.exe cscript.exe PID 1744 wrote to memory of 1132 1744 cmd.exe cscript.exe PID 1744 wrote to memory of 1132 1744 cmd.exe cscript.exe PID 1020 wrote to memory of 1552 1020 EXCEL.EXE cscript.exe PID 1020 wrote to memory of 1552 1020 EXCEL.EXE cscript.exe PID 1020 wrote to memory of 1552 1020 EXCEL.EXE cscript.exe PID 1020 wrote to memory of 1552 1020 EXCEL.EXE cscript.exe PID 1552 wrote to memory of 1636 1552 cscript.exe putty.exe PID 1552 wrote to memory of 1636 1552 cscript.exe putty.exe PID 1552 wrote to memory of 1636 1552 cscript.exe putty.exe PID 1552 wrote to memory of 1636 1552 cscript.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1636 wrote to memory of 1312 1636 putty.exe putty.exe PID 1200 wrote to memory of 1188 1200 Explorer.EXE mstsc.exe PID 1200 wrote to memory of 1188 1200 Explorer.EXE mstsc.exe PID 1200 wrote to memory of 1188 1200 Explorer.EXE mstsc.exe PID 1200 wrote to memory of 1188 1200 Explorer.EXE mstsc.exe PID 1188 wrote to memory of 1624 1188 mstsc.exe cmd.exe PID 1188 wrote to memory of 1624 1188 mstsc.exe cmd.exe PID 1188 wrote to memory of 1624 1188 mstsc.exe cmd.exe PID 1188 wrote to memory of 1624 1188 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Copia_de_pago_12_03.xlsm2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\programdata\putty.exe"C:\programdata\putty.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\programdata\putty.exe"C:\programdata\putty.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\programdata\putty.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmD.execmD /c ReN %Tmp%\q v& WSCrIpT %tmp%\v?..wsf C2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\xx.vbs5⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
C:\ProgramData\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
C:\Users\Admin\AppData\Local\Temp\qMD5
5dde8136e30cc7223ef4eabcecf9c1ad
SHA187a8bd0d6ef64a3013bd268fab78ac9bb7f53ac7
SHA256c2ea928dc6e0b75ac6eeecd5b519fed8320875a0d12a66ac70624e799bc2ddf7
SHA512ad89efaba6cb092f393ef6b5e7aa601517a99393dc9d9387d77a047b0def9fe0cab87d2a6941f0d052bc2f3f80aeed1c4fb9784b737c51ce37baeef60da9ba49
-
C:\Users\Admin\AppData\Local\Temp\xxMD5
ae4f663fed2b4ab5045f866d563f1696
SHA15a1ad388774e928ac191cce2f876210ee23d2f2d
SHA25649b4c2b0da8b86f5fb173f85e0825c50b139731bbe3556279ee0a5a60d9533f3
SHA512ca6d57a2a22929c5bf5d47263b49aad623ee1e67ba8c4405e69b5e5f274e0353f9ef63df6f816f2ad70195d49d75afd2da66ecc0478d86fa1068b03fd051f4b5
-
C:\programdata\asc.txt:script1.vbsMD5
e383b657f76541d555856e702637c047
SHA1a3516519c49e5a1c2016d579884b37080e885284
SHA256d78a6024f8307fc8385c7eb49eb1d21ef10fafe593f9b794f1c960ac78d115f0
SHA51223a143c9257cafb197275d643f03d97a1e8a464124671074d35171ce567741795c9dae252c2e82586e0e7c457690ffade7ee96503ba2b805c6918a6b3c397fb1
-
C:\programdata\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
\ProgramData\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
memory/276-8-0x0000000000000000-mapping.dmp
-
memory/276-12-0x0000000002750000-0x0000000002754000-memory.dmpFilesize
16KB
-
memory/1020-3-0x0000000070DE1000-0x0000000070DE3000-memory.dmpFilesize
8KB
-
memory/1020-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1020-2-0x000000002F831000-0x000000002F834000-memory.dmpFilesize
12KB
-
memory/1132-24-0x0000000002630000-0x0000000002634000-memory.dmpFilesize
16KB
-
memory/1132-13-0x0000000000000000-mapping.dmp
-
memory/1188-45-0x0000000001FE0000-0x000000000206F000-memory.dmpFilesize
572KB
-
memory/1188-42-0x0000000000AD0000-0x0000000000BD4000-memory.dmpFilesize
1.0MB
-
memory/1188-44-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/1188-43-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1188-39-0x0000000000000000-mapping.dmp
-
memory/1200-36-0x0000000003F30000-0x000000000406C000-memory.dmpFilesize
1.2MB
-
memory/1200-38-0x00000000064C0000-0x000000000661E000-memory.dmpFilesize
1.4MB
-
memory/1244-6-0x0000000000000000-mapping.dmp
-
memory/1312-31-0x000000000041D020-mapping.dmp
-
memory/1312-37-0x0000000000450000-0x0000000000460000-memory.dmpFilesize
64KB
-
memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1312-34-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/1312-35-0x0000000000270000-0x0000000000280000-memory.dmpFilesize
64KB
-
memory/1552-15-0x0000000000000000-mapping.dmp
-
memory/1552-21-0x0000000002730000-0x0000000002734000-memory.dmpFilesize
16KB
-
memory/1624-41-0x0000000000000000-mapping.dmp
-
memory/1636-25-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/1636-27-0x0000000000320000-0x000000000032C000-memory.dmpFilesize
48KB
-
memory/1636-29-0x00000000048A0000-0x00000000048FD000-memory.dmpFilesize
372KB
-
memory/1636-28-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/1636-23-0x000000006ADF0000-0x000000006B4DE000-memory.dmpFilesize
6.9MB
-
memory/1636-19-0x0000000000000000-mapping.dmp
-
memory/1744-11-0x0000000000000000-mapping.dmp
-
memory/2012-5-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB