4f096a8c2bfe78d9ed6d36423e9412efd7676717c98185f7244387279a608cbe

General

Target

Reciept 4846765.xlsb
Size

134KB
MD5

cdb6138ff4ea7542bc16b7ed16dad315
SHA1

de8aa97c4bc6ae869f8609cb55b841e34b9e3a19
SHA256

4f096a8c2bfe78d9ed6d36423e9412efd7676717c98185f7244387279a608cbe
SHA512

a1a5460fa20e368970ebb39e7a9b1c3d55d4baf583cc938af0cacb62fb523e72b47f48340bc2fbbf9fb293d0f9217aac360d6d652cf86ab02fc4cf1ac44aa71b

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Windows\Temp\vewse.exe	cryptone
C:\Windows\Temp\vewse.exe	cryptone

Blocklisted process makes network request 14 IoCs

Processes:

WMIC.exe

flow	pid	process
32	3148	WMIC.exe
34	3148	WMIC.exe
36	3148	WMIC.exe
38	3148	WMIC.exe
40	3148	WMIC.exe
42	3148	WMIC.exe
44	3148	WMIC.exe
46	3148	WMIC.exe
48	3148	WMIC.exe
50	3148	WMIC.exe
52	3148	WMIC.exe
54	3148	WMIC.exe
56	3148	WMIC.exe
58	3148	WMIC.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vewse.exe

pid process

2732 vewse.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2732	vewse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WMIC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WMIC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WMIC.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2256 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3148	WMIC.exe
Token: SeSecurityPrivilege	3148	WMIC.exe
Token: SeTakeOwnershipPrivilege	3148	WMIC.exe
Token: SeLoadDriverPrivilege	3148	WMIC.exe
Token: SeSystemProfilePrivilege	3148	WMIC.exe
Token: SeSystemtimePrivilege	3148	WMIC.exe
Token: SeProfSingleProcessPrivilege	3148	WMIC.exe
Token: SeIncBasePriorityPrivilege	3148	WMIC.exe
Token: SeCreatePagefilePrivilege	3148	WMIC.exe
Token: SeBackupPrivilege	3148	WMIC.exe
Token: SeRestorePrivilege	3148	WMIC.exe
Token: SeShutdownPrivilege	3148	WMIC.exe
Token: SeDebugPrivilege	3148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3148	WMIC.exe
Token: SeRemoteShutdownPrivilege	3148	WMIC.exe
Token: SeUndockPrivilege	3148	WMIC.exe
Token: SeManageVolumePrivilege	3148	WMIC.exe
Token: 33	3148	WMIC.exe
Token: 34	3148	WMIC.exe
Token: 35	3148	WMIC.exe
Token: 36	3148	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3148	WMIC.exe
Token: SeSecurityPrivilege	3148	WMIC.exe
Token: SeTakeOwnershipPrivilege	3148	WMIC.exe
Token: SeLoadDriverPrivilege	3148	WMIC.exe
Token: SeSystemProfilePrivilege	3148	WMIC.exe
Token: SeSystemtimePrivilege	3148	WMIC.exe
Token: SeProfSingleProcessPrivilege	3148	WMIC.exe
Token: SeIncBasePriorityPrivilege	3148	WMIC.exe
Token: SeCreatePagefilePrivilege	3148	WMIC.exe
Token: SeBackupPrivilege	3148	WMIC.exe
Token: SeRestorePrivilege	3148	WMIC.exe
Token: SeShutdownPrivilege	3148	WMIC.exe
Token: SeDebugPrivilege	3148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3148	WMIC.exe
Token: SeRemoteShutdownPrivilege	3148	WMIC.exe
Token: SeUndockPrivilege	3148	WMIC.exe
Token: SeManageVolumePrivilege	3148	WMIC.exe
Token: 33	3148	WMIC.exe
Token: 34	3148	WMIC.exe
Token: 35	3148	WMIC.exe
Token: 36	3148	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2256 EXCEL.EXE
2256 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EXCEL.EXEmshta.EXEWMIC.exe

description	pid	process	target process
PID 2256 wrote to memory of 2196	2256	EXCEL.EXE	splwow64.exe
PID 2256 wrote to memory of 2196	2256	EXCEL.EXE	splwow64.exe
PID 2104 wrote to memory of 3148	2104	mshta.EXE	WMIC.exe
PID 2104 wrote to memory of 3148	2104	mshta.EXE	WMIC.exe
PID 3148 wrote to memory of 2732	3148	WMIC.exe	vewse.exe
PID 3148 wrote to memory of 2732	3148	WMIC.exe	vewse.exe
PID 3148 wrote to memory of 2732	3148	WMIC.exe	vewse.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 4846765.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2196

\??\c:\windows\system32\mshta.EXE
c:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\xCylinder.xsl"" & Chr(34)),0:close")
1⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\xCylinder.xsl"
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\Temp\vewse.exe
"C:\Windows\Temp\vewse.exe"
3⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xCylinder.xsl
MD5
e8d46ccae0aa71a5ccba0dce0afe6884

SHA1
ac84327a1574b2b53ac5a252b31e81d2c452b591

SHA256
1a8e1761e21ff006bfd22dea0063877b50c3fdc0df2fb22561a9470435fdc11f

SHA512
223cc52d617f1f47b560dc584ba187decd30d82e5e034e398fcd1f32d0ff3358f5117b4fbf0d99d0169b3870d9f0f19863a30256a0475419221acd192789db56

Download Submit
C:\Windows\Temp\vewse.exe
MD5
1fa2d8db24799c93d9b6aa37e05f5525

SHA1
a4e79f386e275c345d3098a56c4269a6a8df209f

SHA256
073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568

SHA512
ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3

Download Submit
C:\Windows\Temp\vewse.exe
MD5
1fa2d8db24799c93d9b6aa37e05f5525

SHA1
a4e79f386e275c345d3098a56c4269a6a8df209f

SHA256
073143c5d5589117612c308b01f84c5e5b024878e98b15021ca820458219a568

SHA512
ae7c8f5519425d5fcb431325b4d6d00e84bb789d3d9f19d8a4a71230e0bd13b99b692b9fb81ad38ba5b1d3e1ae6a5007b31d56358fcc3fcd07026a5586daeed3

Download Submit
memory/2196-179-0x0000000000000000-mapping.dmp

Download
memory/2256-122-0x00007FF87ACF0000-0x00007FF87BDDE000-memory.dmp

Filesize
16.9MB

Download
memory/2256-119-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-114-0x00007FF708AA0000-0x00007FF70C056000-memory.dmp

Filesize
53.7MB

Download
memory/2256-123-0x00007FF878D30000-0x00007FF87AC25000-memory.dmp

Filesize
31.0MB

Download
memory/2256-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2732-182-0x0000000000000000-mapping.dmp

Download
memory/3148-180-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads