Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-03-2021 12:53
Static task
static1
Behavioral task
behavioral1
Sample
Copia_de_pago_12_03.xlsm
Resource
win7v20201028
General
-
Target
Copia_de_pago_12_03.xlsm
-
Size
197KB
-
MD5
b5192b8607edf0e0d159f5510576cf24
-
SHA1
ea830c1f6a158b362cdfd7a1c9ac250efe2143bf
-
SHA256
03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c
-
SHA512
3d5548ddb32670faf5df4a5a74c8c766268990c9cd4edafe41b739f352beb0c9927b89abefdc248a65f1f224622d8681d6ba85468331831ca7e0a519e642b4c4
Malware Config
Extracted
xloader
http://www.basiclablife.com/8zdn/
yourherogarden.net
onlineharambee.net
cerrajeriaurgencias24horas.com
distritoforex.com
verifyclientserverssr.com
dandwg.com
co2-zero.global
joshssl.com
meckwt.com
theammf.com
rawclectic.com
gzgnetwork.com
richmondavenuecoc.com
nicolelyte.com
thetinyclosetboutique.com
llt-group.net
seven-sky-design.com
joganifinancialgrp.com
elementsvapes.com
bingent.info
quaichshop.net
unethicalsgsblaw.com
matts.digital
lexafit.com
covidwanderings.com
pk972.com
fanashaadivine.com
winharadesigns.com
adosignite.com
goldengatesimmigration.com
unazampanelcuore.com
gasexecutive.com
sdps365.net
worthingtonminnesota.com
ducatsupply.com
beijinghui1.icu
hn-bet.com
homeforsalesteamboat.com
tiaozaoxinlingshou.net
mrbils.net
depuitycollector.com
winningovereating.com
usedonlyrvs.com
verbinoz.com
threepocketmedia.com
lizbing.com
fivestardogfoods.com
edevercal.net
irisettelment.com
beautyphernalia.com
terrawindglobalprotection.net
floridaindian.com
kidzistore.com
kulisbet117.com
logingatech.info
ftdk.net
lawwise.legal
bruthawar.com
lemonpublishing.com
6781529.com
zfxsotc.com
shroomsdrop.com
ahm-app.com
finesilversmith.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1272 1908 cscript.exe EXCEL.EXE -
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2744-24-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/2744-25-0x000000000041D020-mapping.dmp xloader behavioral2/memory/1540-33-0x00000000002E0000-0x0000000000308000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 21 1272 cscript.exe -
Executes dropped EXE 3 IoCs
Processes:
putty.exeputty.exeputty.exepid process 3136 putty.exe 2740 putty.exe 2744 putty.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
putty.exeputty.exehelp.exedescription pid process target process PID 3136 set thread context of 2744 3136 putty.exe putty.exe PID 2744 set thread context of 3020 2744 putty.exe Explorer.EXE PID 1540 set thread context of 3020 1540 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 3 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{D7A43672-120F-4559-897E-AB8477620253}\q:Zone.Identifier EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{D7A43672-120F-4559-897E-AB8477620253}\xx:Zone.Identifier EXCEL.EXE File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1908 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
putty.exeputty.exehelp.exepid process 3136 putty.exe 3136 putty.exe 2744 putty.exe 2744 putty.exe 2744 putty.exe 2744 putty.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
putty.exehelp.exepid process 2744 putty.exe 2744 putty.exe 2744 putty.exe 1540 help.exe 1540 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
putty.exeputty.exehelp.exedescription pid process Token: SeDebugPrivilege 3136 putty.exe Token: SeDebugPrivilege 2744 putty.exe Token: SeDebugPrivilege 1540 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1908 EXCEL.EXE 1908 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXEcscript.exeputty.exeExplorer.EXEhelp.exedescription pid process target process PID 1908 wrote to memory of 1272 1908 EXCEL.EXE cscript.exe PID 1908 wrote to memory of 1272 1908 EXCEL.EXE cscript.exe PID 1272 wrote to memory of 3136 1272 cscript.exe putty.exe PID 1272 wrote to memory of 3136 1272 cscript.exe putty.exe PID 1272 wrote to memory of 3136 1272 cscript.exe putty.exe PID 3136 wrote to memory of 2740 3136 putty.exe putty.exe PID 3136 wrote to memory of 2740 3136 putty.exe putty.exe PID 3136 wrote to memory of 2740 3136 putty.exe putty.exe PID 3136 wrote to memory of 2744 3136 putty.exe putty.exe PID 3136 wrote to memory of 2744 3136 putty.exe putty.exe PID 3136 wrote to memory of 2744 3136 putty.exe putty.exe PID 3136 wrote to memory of 2744 3136 putty.exe putty.exe PID 3136 wrote to memory of 2744 3136 putty.exe putty.exe PID 3136 wrote to memory of 2744 3136 putty.exe putty.exe PID 3020 wrote to memory of 1540 3020 Explorer.EXE help.exe PID 3020 wrote to memory of 1540 3020 Explorer.EXE help.exe PID 3020 wrote to memory of 1540 3020 Explorer.EXE help.exe PID 1540 wrote to memory of 4048 1540 help.exe cmd.exe PID 1540 wrote to memory of 4048 1540 help.exe cmd.exe PID 1540 wrote to memory of 4048 1540 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Copia_de_pago_12_03.xlsm"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\programdata\putty.exe"C:\programdata\putty.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\programdata\putty.exe"C:\programdata\putty.exe"5⤵
- Executes dropped EXE
PID:2740 -
C:\programdata\putty.exe"C:\programdata\putty.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\programdata\putty.exe"3⤵PID:4048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
C:\ProgramData\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
C:\ProgramData\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
C:\programdata\asc.txt:script1.vbsMD5
e383b657f76541d555856e702637c047
SHA1a3516519c49e5a1c2016d579884b37080e885284
SHA256d78a6024f8307fc8385c7eb49eb1d21ef10fafe593f9b794f1c960ac78d115f0
SHA51223a143c9257cafb197275d643f03d97a1e8a464124671074d35171ce567741795c9dae252c2e82586e0e7c457690ffade7ee96503ba2b805c6918a6b3c397fb1
-
C:\programdata\putty.exeMD5
0c646642ed1f66939d1f6ceb9e8e00fc
SHA17dc7588378602e1fba5866c27769acae2cd3d07f
SHA256f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365
SHA512eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765
-
memory/1272-7-0x0000000000000000-mapping.dmp
-
memory/1540-33-0x00000000002E0000-0x0000000000308000-memory.dmpFilesize
160KB
-
memory/1540-37-0x0000000002AF0000-0x0000000002B7F000-memory.dmpFilesize
572KB
-
memory/1540-35-0x0000000002CA0000-0x0000000002FC0000-memory.dmpFilesize
3.1MB
-
memory/1540-32-0x0000000000340000-0x0000000000347000-memory.dmpFilesize
28KB
-
memory/1540-31-0x0000000000000000-mapping.dmp
-
memory/1908-6-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmpFilesize
64KB
-
memory/1908-5-0x00007FFCA1F50000-0x00007FFCA2587000-memory.dmpFilesize
6.2MB
-
memory/1908-4-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmpFilesize
64KB
-
memory/1908-2-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmpFilesize
64KB
-
memory/1908-3-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmpFilesize
64KB
-
memory/2744-28-0x0000000000EE0000-0x0000000001200000-memory.dmpFilesize
3.1MB
-
memory/2744-29-0x0000000000980000-0x0000000000990000-memory.dmpFilesize
64KB
-
memory/2744-25-0x000000000041D020-mapping.dmp
-
memory/2744-24-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3020-30-0x0000000002B20000-0x0000000002BFB000-memory.dmpFilesize
876KB
-
memory/3020-38-0x0000000005330000-0x0000000005496000-memory.dmpFilesize
1.4MB
-
memory/3136-18-0x0000000002E60000-0x0000000002E61000-memory.dmpFilesize
4KB
-
memory/3136-19-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/3136-17-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/3136-20-0x0000000002EA0000-0x0000000002EAC000-memory.dmpFilesize
48KB
-
memory/3136-21-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3136-16-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/3136-15-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/3136-13-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/3136-12-0x0000000073920000-0x000000007400E000-memory.dmpFilesize
6.9MB
-
memory/3136-9-0x0000000000000000-mapping.dmp
-
memory/3136-22-0x0000000005940000-0x000000000599D000-memory.dmpFilesize
372KB
-
memory/4048-34-0x0000000000000000-mapping.dmp