Analysis
-
max time kernel
143s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-07-2021 13:29
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 4846765.xlsb
Resource
win7v20210410
General
-
Target
Reciept 4846765.xlsb
-
Size
134KB
-
MD5
cdb6138ff4ea7542bc16b7ed16dad315
-
SHA1
de8aa97c4bc6ae869f8609cb55b841e34b9e3a19
-
SHA256
4f096a8c2bfe78d9ed6d36423e9412efd7676717c98185f7244387279a608cbe
-
SHA512
a1a5460fa20e368970ebb39e7a9b1c3d55d4baf583cc938af0cacb62fb523e72b47f48340bc2fbbf9fb293d0f9217aac360d6d652cf86ab02fc4cf1ac44aa71b
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\Temp\vewse.exe cryptone C:\Windows\Temp\vewse.exe cryptone -
Blocklisted process makes network request 14 IoCs
Processes:
WMIC.exeflow pid process 32 3148 WMIC.exe 34 3148 WMIC.exe 36 3148 WMIC.exe 38 3148 WMIC.exe 40 3148 WMIC.exe 42 3148 WMIC.exe 44 3148 WMIC.exe 46 3148 WMIC.exe 48 3148 WMIC.exe 50 3148 WMIC.exe 52 3148 WMIC.exe 54 3148 WMIC.exe 56 3148 WMIC.exe 58 3148 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vewse.exepid process 2732 vewse.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Processes:
WMIC.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WMIC.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WMIC.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3148 WMIC.exe Token: SeSecurityPrivilege 3148 WMIC.exe Token: SeTakeOwnershipPrivilege 3148 WMIC.exe Token: SeLoadDriverPrivilege 3148 WMIC.exe Token: SeSystemProfilePrivilege 3148 WMIC.exe Token: SeSystemtimePrivilege 3148 WMIC.exe Token: SeProfSingleProcessPrivilege 3148 WMIC.exe Token: SeIncBasePriorityPrivilege 3148 WMIC.exe Token: SeCreatePagefilePrivilege 3148 WMIC.exe Token: SeBackupPrivilege 3148 WMIC.exe Token: SeRestorePrivilege 3148 WMIC.exe Token: SeShutdownPrivilege 3148 WMIC.exe Token: SeDebugPrivilege 3148 WMIC.exe Token: SeSystemEnvironmentPrivilege 3148 WMIC.exe Token: SeRemoteShutdownPrivilege 3148 WMIC.exe Token: SeUndockPrivilege 3148 WMIC.exe Token: SeManageVolumePrivilege 3148 WMIC.exe Token: 33 3148 WMIC.exe Token: 34 3148 WMIC.exe Token: 35 3148 WMIC.exe Token: 36 3148 WMIC.exe Token: SeIncreaseQuotaPrivilege 3148 WMIC.exe Token: SeSecurityPrivilege 3148 WMIC.exe Token: SeTakeOwnershipPrivilege 3148 WMIC.exe Token: SeLoadDriverPrivilege 3148 WMIC.exe Token: SeSystemProfilePrivilege 3148 WMIC.exe Token: SeSystemtimePrivilege 3148 WMIC.exe Token: SeProfSingleProcessPrivilege 3148 WMIC.exe Token: SeIncBasePriorityPrivilege 3148 WMIC.exe Token: SeCreatePagefilePrivilege 3148 WMIC.exe Token: SeBackupPrivilege 3148 WMIC.exe Token: SeRestorePrivilege 3148 WMIC.exe Token: SeShutdownPrivilege 3148 WMIC.exe Token: SeDebugPrivilege 3148 WMIC.exe Token: SeSystemEnvironmentPrivilege 3148 WMIC.exe Token: SeRemoteShutdownPrivilege 3148 WMIC.exe Token: SeUndockPrivilege 3148 WMIC.exe Token: SeManageVolumePrivilege 3148 WMIC.exe Token: 33 3148 WMIC.exe Token: 34 3148 WMIC.exe Token: 35 3148 WMIC.exe Token: 36 3148 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEmshta.EXEWMIC.exedescription pid process target process PID 2256 wrote to memory of 2196 2256 EXCEL.EXE splwow64.exe PID 2256 wrote to memory of 2196 2256 EXCEL.EXE splwow64.exe PID 2104 wrote to memory of 3148 2104 mshta.EXE WMIC.exe PID 2104 wrote to memory of 3148 2104 mshta.EXE WMIC.exe PID 3148 wrote to memory of 2732 3148 WMIC.exe vewse.exe PID 3148 wrote to memory of 2732 3148 WMIC.exe vewse.exe PID 3148 wrote to memory of 2732 3148 WMIC.exe vewse.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 4846765.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
\??\c:\windows\system32\mshta.EXEc:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\xCylinder.xsl"" & Chr(34)),0:close")1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\xCylinder.xsl"2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\vewse.exe"C:\Windows\Temp\vewse.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xCylinder.xslMD5
e8d46ccae0aa71a5ccba0dce0afe6884
SHA1ac84327a1574b2b53ac5a252b31e81d2c452b591
SHA2561a8e1761e21ff006bfd22dea0063877b50c3fdc0df2fb22561a9470435fdc11f
SHA512223cc52d617f1f47b560dc584ba187decd30d82e5e034e398fcd1f32d0ff3358f5117b4fbf0d99d0169b3870d9f0f19863a30256a0475419221acd192789db56
-
C:\Windows\Temp\vewse.exeMD5
1fa2d8db24799c93d9b6aa37e05f5525
SHA1a4e79f386e275c345d3098a56c4269a6a8df209f
SHA256073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568
SHA512ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3
-
C:\Windows\Temp\vewse.exeMD5
1fa2d8db24799c93d9b6aa37e05f5525
SHA1a4e79f386e275c345d3098a56c4269a6a8df209f
SHA256073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568
SHA512ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3
-
memory/2196-179-0x0000000000000000-mapping.dmp
-
memory/2256-122-0x00007FF87ACF0000-0x00007FF87BDDE000-memory.dmpFilesize
16.9MB
-
memory/2256-119-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-114-0x00007FF708AA0000-0x00007FF70C056000-memory.dmpFilesize
53.7MB
-
memory/2256-123-0x00007FF878D30000-0x00007FF87AC25000-memory.dmpFilesize
31.0MB
-
memory/2256-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2732-182-0x0000000000000000-mapping.dmp
-
memory/3148-180-0x0000000000000000-mapping.dmp