bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88

Analysis

max time kernel
145s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subscription_1617898525.xlsb
Size

250KB
MD5

9d39f307b0d6276450038cca7568b2cc
SHA1

72d0c43d84791c50e600d85e6deb2b9021cf7056
SHA256

bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88
SHA512

17e98e6da13405142295953f6deb0cd7d44751bf83a22833a7b9747e21ae46630c1edb7d176edcd21f14428182135db181153a06ddd9e3fc70246514f6f1f127

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1100	4688	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

30 1596 rundll32.exe
35 1596 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

huqgk.exehuqgk.exeRKCF425.exeRKCF425.exe

pid process

2644 huqgk.exe
188 huqgk.exe
2460 RKCF425.exe
2944 RKCF425.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1596 rundll32.exe

flow	pid	process
30	1596	rundll32.exe
35	1596	rundll32.exe

pid	process
2644	huqgk.exe
188	huqgk.exe
2460	RKCF425.exe
2944	RKCF425.exe

pid	process
1596	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RKCF425.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RKCF425.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\D51AM76CR = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v B5CUQFXB6P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RKCF425.exe JU0NGE\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\RKCF425.exe JU0NGE"	RKCF425.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2392 PING.EXE
4544 PING.EXE
3920 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4688 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

huqgk.exe

pid process

2644 huqgk.exe
2644 huqgk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4688 EXCEL.EXE
4688 EXCEL.EXE

pid	process
2392	PING.EXE
4544	PING.EXE
3920	PING.EXE

pid	process
2644	huqgk.exe
2644	huqgk.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exehuqgk.execmd.exehuqgk.execmd.exeRKCF425.execmd.exe

description	pid	process	target process
PID 4688 wrote to memory of 1100	4688	EXCEL.EXE	cmd.exe
PID 4688 wrote to memory of 1100	4688	EXCEL.EXE	cmd.exe
PID 1100 wrote to memory of 1288	1100	cmd.exe	certutil.exe
PID 1100 wrote to memory of 1288	1100	cmd.exe	certutil.exe
PID 1100 wrote to memory of 1468	1100	cmd.exe	rundll32.exe
PID 1100 wrote to memory of 1468	1100	cmd.exe	rundll32.exe
PID 1468 wrote to memory of 1596	1468	rundll32.exe	rundll32.exe
PID 1468 wrote to memory of 1596	1468	rundll32.exe	rundll32.exe
PID 1468 wrote to memory of 1596	1468	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 2644	1596	rundll32.exe	huqgk.exe
PID 1596 wrote to memory of 2644	1596	rundll32.exe	huqgk.exe
PID 2644 wrote to memory of 4260	2644	huqgk.exe	cmd.exe
PID 2644 wrote to memory of 4260	2644	huqgk.exe	cmd.exe
PID 4260 wrote to memory of 2392	4260	cmd.exe	PING.EXE
PID 4260 wrote to memory of 2392	4260	cmd.exe	PING.EXE
PID 4260 wrote to memory of 188	4260	cmd.exe	huqgk.exe
PID 4260 wrote to memory of 188	4260	cmd.exe	huqgk.exe
PID 188 wrote to memory of 3908	188	huqgk.exe	cmd.exe
PID 188 wrote to memory of 3908	188	huqgk.exe	cmd.exe
PID 3908 wrote to memory of 4544	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 4544	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 2460	3908	cmd.exe	RKCF425.exe
PID 3908 wrote to memory of 2460	3908	cmd.exe	RKCF425.exe
PID 2460 wrote to memory of 2960	2460	RKCF425.exe	cmd.exe
PID 2460 wrote to memory of 2960	2460	RKCF425.exe	cmd.exe
PID 2960 wrote to memory of 3920	2960	cmd.exe	PING.EXE
PID 2960 wrote to memory of 3920	2960	cmd.exe	PING.EXE
PID 2960 wrote to memory of 2944	2960	cmd.exe	RKCF425.exe
PID 2960 wrote to memory of 2944	2960	cmd.exe	RKCF425.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617898525.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\14118.doy %PUBLIC%\14118.biy && rundll32 %PUBLIC%\14118.biy,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\14118.doy C:\Users\Public\14118.biy
3⤵
PID:1288

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\14118.biy,DF1
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\14118.biy,DF1
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596

C:\ProgramData\huqgk\huqgk.exe
"C:\ProgramData\huqgk\huqgk.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\huqgk\huqgk.exe DZOF6
6⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
7⤵
- Runs ping.exe
PID:2392

C:\ProgramData\huqgk\huqgk.exe
C:\ProgramData\huqgk\huqgk.exe DZOF6
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\RKCF425.exe DO32
8⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
9⤵
- Runs ping.exe
PID:4544

C:\Users\Admin\AppData\Local\Temp\RKCF425.exe
C:\Users\Admin\AppData\Local\Temp\RKCF425.exe DO32
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\RKCF425.exe JU0NGE
10⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
11⤵
- Runs ping.exe
PID:3920

C:\Users\Admin\AppData\Local\Temp\RKCF425.exe
C:\Users\Admin\AppData\Local\Temp\RKCF425.exe JU0NGE
11⤵
- Executes dropped EXE
PID:2944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\huqgk\huqgk.exe
MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\ProgramData\huqgk\huqgk.exe
MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\ProgramData\huqgk\huqgk.exe
MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKCF425.exe
MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKCF425.exe
MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKCF425.exe
MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\Users\Public\14118.biy
MD5
0d90eb265cfe49b20037673845bd0c3c

SHA1
6d8fb0ff1aba664991336f039a2cc4451a6160cc

SHA256
acc4ef33e4725fa9b3b1481a30b9ab2790badf06eb8bdc0db5d4cd550f16c6cc

SHA512
64a2a8fc352760907e36373dea7d1ee4867e7d569da44360069ca862161504769e35b08dc557d0aefbc0f15d5be83c996dae9b665540d36b255ed430798cb62d

Download Submit
C:\Users\Public\14118.doy
MD5
61f9ff7edf0a1ff6888e541124226553

SHA1
171fcc225b737185dcb63a7980e7568b3a80f88a

SHA256
5b76d927fc8fbce5d669a8388858986e2b4533176144d08497f5b58672db12fb

SHA512
9cc04bf336b90aeeb9b4a93185dde1173f968f2fb8b9f974c2fbd74d2f2dde499be8058050fed96887439140bb000da368feb48e7f89b3a6ccbbdcf0e4532350

Download Submit
\Users\Public\14118.biy
MD5
0d90eb265cfe49b20037673845bd0c3c

SHA1
6d8fb0ff1aba664991336f039a2cc4451a6160cc

SHA256
acc4ef33e4725fa9b3b1481a30b9ab2790badf06eb8bdc0db5d4cd550f16c6cc

SHA512
64a2a8fc352760907e36373dea7d1ee4867e7d569da44360069ca862161504769e35b08dc557d0aefbc0f15d5be83c996dae9b665540d36b255ed430798cb62d

Download Submit
memory/188-191-0x0000000000000000-mapping.dmp

Download
memory/1100-179-0x0000000000000000-mapping.dmp

Download
memory/1288-180-0x0000000000000000-mapping.dmp

Download
memory/1468-182-0x0000000000000000-mapping.dmp

Download
memory/1596-184-0x0000000000000000-mapping.dmp

Download
memory/2392-190-0x0000000000000000-mapping.dmp

Download
memory/2460-195-0x0000000000000000-mapping.dmp

Download
memory/2644-186-0x0000000000000000-mapping.dmp

Download
memory/2944-200-0x0000000000000000-mapping.dmp

Download
memory/2960-198-0x0000000000000000-mapping.dmp

Download
memory/3908-193-0x0000000000000000-mapping.dmp

Download
memory/3920-199-0x0000000000000000-mapping.dmp

Download
memory/4260-189-0x0000000000000000-mapping.dmp

Download
memory/4544-194-0x0000000000000000-mapping.dmp

Download
memory/4688-114-0x00007FF6ECFD0000-0x00007FF6F0586000-memory.dmp

Filesize
53.7MB

Download
memory/4688-118-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-121-0x00007FFEE5CA0000-0x00007FFEE6D8E000-memory.dmp

Filesize
16.9MB

Download
memory/4688-123-0x00007FFEE3CE0000-0x00007FFEE5BD5000-memory.dmp

Filesize
31.0MB

Download
memory/4688-117-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-116-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-122-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-115-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download