709e2a3846cb20034181c4bb090b6d98499955d850970b87d49e3271184e2d8f

General

Target

Reciept 96285898.xlsb
Size

134KB
MD5

c32e8a076a3dd64e30cd8b5c5a7a2276
SHA1

17b52997cf29214e7b06368269879237c09e7706
SHA256

709e2a3846cb20034181c4bb090b6d98499955d850970b87d49e3271184e2d8f
SHA512

d0a9295cdfb26fe2ee61767515ce279f5bc2c5529903875a76a7d3503215a1875c1dc1b177ce7c0031bd6bb2de6ad36ab4722dcf445bdc0e8184783636b44c50

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Windows\Temp\zgbqc.exe	cryptone
C:\Windows\Temp\zgbqc.exe	cryptone

Blocklisted process makes network request 12 IoCs

Processes:

WMIC.exe

flow	pid	process
36	3952	WMIC.exe
38	3952	WMIC.exe
40	3952	WMIC.exe
42	3952	WMIC.exe
44	3952	WMIC.exe
46	3952	WMIC.exe
48	3952	WMIC.exe
50	3952	WMIC.exe
52	3952	WMIC.exe
54	3952	WMIC.exe
55	3952	WMIC.exe
57	3952	WMIC.exe

Executes dropped EXE 1 IoCs

Processes:

zgbqc.exe

pid process

4040 zgbqc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4040	zgbqc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WMIC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WMIC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WMIC.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

568 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe
Token: 33	3952	WMIC.exe
Token: 34	3952	WMIC.exe
Token: 35	3952	WMIC.exe
Token: 36	3952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe
Token: 33	3952	WMIC.exe
Token: 34	3952	WMIC.exe
Token: 35	3952	WMIC.exe
Token: 36	3952	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

568 EXCEL.EXE
568 EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE
568	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EXCEL.EXEmshta.EXEWMIC.exe

description	pid	process	target process
PID 568 wrote to memory of 996	568	EXCEL.EXE	splwow64.exe
PID 568 wrote to memory of 996	568	EXCEL.EXE	splwow64.exe
PID 2856 wrote to memory of 3952	2856	mshta.EXE	WMIC.exe
PID 2856 wrote to memory of 3952	2856	mshta.EXE	WMIC.exe
PID 3952 wrote to memory of 4040	3952	WMIC.exe	zgbqc.exe
PID 3952 wrote to memory of 4040	3952	WMIC.exe	zgbqc.exe
PID 3952 wrote to memory of 4040	3952	WMIC.exe	zgbqc.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 96285898.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:996

\??\c:\windows\system32\mshta.EXE
c:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\xDoNotSaveChanges.xsl"" & Chr(34)),0:close")
1⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\xDoNotSaveChanges.xsl"
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Temp\zgbqc.exe
"C:\Windows\Temp\zgbqc.exe"
3⤵
- Executes dropped EXE
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xDoNotSaveChanges.xsl
MD5
553b4380b0dea3566cb279a965f85629

SHA1
bae44084888e5bf95c6ec5a4e69d8287083e2c93

SHA256
8480d432ab1b8e8b259708908898a45a893562f3cff3ed2388579fbae94825c8

SHA512
e446648b995fff2bcf5a5cca3b800875b5dadd022dbf2484eb55be6c4e01711cea1c1dbbcdb78b583f3c764f4c35309aadb1d519fe3504fb6193f7647db696c7

Download Submit
C:\Windows\Temp\zgbqc.exe
MD5
1fa2d8db24799c93d9b6aa37e05f5525

SHA1
a4e79f386e275c345d3098a56c4269a6a8df209f

SHA256
073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568

SHA512
ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3

Download Submit
C:\Windows\Temp\zgbqc.exe
MD5
1fa2d8db24799c93d9b6aa37e05f5525

SHA1
a4e79f386e275c345d3098a56c4269a6a8df209f

SHA256
073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568

SHA512
ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3

Download Submit
memory/568-122-0x00007FFCABC90000-0x00007FFCACD7E000-memory.dmp

Filesize
16.9MB

Download
memory/568-118-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/568-121-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/568-114-0x00007FF6EE2E0000-0x00007FF6F1896000-memory.dmp

Filesize
53.7MB

Download
memory/568-123-0x00007FFCA9D90000-0x00007FFCABC85000-memory.dmp

Filesize
31.0MB

Download
memory/568-117-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/568-116-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/568-115-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/996-179-0x0000000000000000-mapping.dmp

Download
memory/3952-180-0x0000000000000000-mapping.dmp

Download
memory/4040-182-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads