Reciept 0198478.xlsb

General
Target

Reciept 0198478.xlsb

Filesize

67KB

Completed

06-07-2021 15:41

Score
9/10
MD5

16b275e48c1d27c448b4ed772206315c

SHA1

317988ea2f7fa8fa288850adce94bf2543bbd8d0

SHA256

d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208

Malware Config
Signatures 11

Filter: none

Discovery
  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x0003000000000693-182.datcryptone
    behavioral2/files/0x0003000000000693-183.datcryptone
  • Blocklisted process makes network request
    WMIC.exe

    Reported IOCs

    flowpidprocess
    322428WMIC.exe
  • Downloads MZ/PE file
  • Executes dropped EXE
    tu3py.exe

    Reported IOCs

    pidprocess
    2836tu3py.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4448EXCEL.EXE
  • Suspicious use of AdjustPrivilegeToken
    WMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege2428WMIC.exe
    Token: SeSecurityPrivilege2428WMIC.exe
    Token: SeTakeOwnershipPrivilege2428WMIC.exe
    Token: SeLoadDriverPrivilege2428WMIC.exe
    Token: SeSystemProfilePrivilege2428WMIC.exe
    Token: SeSystemtimePrivilege2428WMIC.exe
    Token: SeProfSingleProcessPrivilege2428WMIC.exe
    Token: SeIncBasePriorityPrivilege2428WMIC.exe
    Token: SeCreatePagefilePrivilege2428WMIC.exe
    Token: SeBackupPrivilege2428WMIC.exe
    Token: SeRestorePrivilege2428WMIC.exe
    Token: SeShutdownPrivilege2428WMIC.exe
    Token: SeDebugPrivilege2428WMIC.exe
    Token: SeSystemEnvironmentPrivilege2428WMIC.exe
    Token: SeRemoteShutdownPrivilege2428WMIC.exe
    Token: SeUndockPrivilege2428WMIC.exe
    Token: SeManageVolumePrivilege2428WMIC.exe
    Token: 332428WMIC.exe
    Token: 342428WMIC.exe
    Token: 352428WMIC.exe
    Token: 362428WMIC.exe
    Token: SeIncreaseQuotaPrivilege2428WMIC.exe
    Token: SeSecurityPrivilege2428WMIC.exe
    Token: SeTakeOwnershipPrivilege2428WMIC.exe
    Token: SeLoadDriverPrivilege2428WMIC.exe
    Token: SeSystemProfilePrivilege2428WMIC.exe
    Token: SeSystemtimePrivilege2428WMIC.exe
    Token: SeProfSingleProcessPrivilege2428WMIC.exe
    Token: SeIncBasePriorityPrivilege2428WMIC.exe
    Token: SeCreatePagefilePrivilege2428WMIC.exe
    Token: SeBackupPrivilege2428WMIC.exe
    Token: SeRestorePrivilege2428WMIC.exe
    Token: SeShutdownPrivilege2428WMIC.exe
    Token: SeDebugPrivilege2428WMIC.exe
    Token: SeSystemEnvironmentPrivilege2428WMIC.exe
    Token: SeRemoteShutdownPrivilege2428WMIC.exe
    Token: SeUndockPrivilege2428WMIC.exe
    Token: SeManageVolumePrivilege2428WMIC.exe
    Token: 332428WMIC.exe
    Token: 342428WMIC.exe
    Token: 352428WMIC.exe
    Token: 362428WMIC.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
    4448EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    mshta.EXEWMIC.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2060 wrote to memory of 24282060mshta.EXEWMIC.exe
    PID 2060 wrote to memory of 24282060mshta.EXEWMIC.exe
    PID 2428 wrote to memory of 28362428WMIC.exetu3py.exe
    PID 2428 wrote to memory of 28362428WMIC.exetu3py.exe
    PID 2428 wrote to memory of 28362428WMIC.exetu3py.exe
Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 0198478.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:4448
  • \??\c:\windows\system32\mshta.EXE
    c:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogSeriesAxes.xsl"" & Chr(34)),0:close")
    Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogSeriesAxes.xsl"
      Blocklisted process makes network request
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\Temp\tu3py.exe
        "C:\Windows\Temp\tu3py.exe"
        Executes dropped EXE
        PID:2836
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\qDialogSeriesAxes.xsl

                          MD5

                          ed9a97566e5179a4793dad89b79f3c8b

                          SHA1

                          3aba6229322c12118a7999b35387045159429078

                          SHA256

                          c6ce5cf41a799c6c427a8facae15fa9ac40eb3562132189c72e1398178c74981

                          SHA512

                          08f827a3bea007feae33e69f43a09cfcb08f0f636d1eab3d937203bad63d94cd9f99312f162cefb1217e115d5ae3985b6202f2b773212134c540e01fe2d071f1

                        • C:\Windows\Temp\tu3py.exe

                          MD5

                          9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

                          SHA1

                          d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

                          SHA256

                          b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

                          SHA512

                          c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

                        • C:\Windows\Temp\tu3py.exe

                          MD5

                          9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

                          SHA1

                          d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

                          SHA256

                          b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

                          SHA512

                          c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

                        • memory/2428-179-0x0000000000000000-mapping.dmp

                        • memory/2836-181-0x0000000000000000-mapping.dmp

                        • memory/4448-122-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

                        • memory/4448-121-0x00007FF9D41C0000-0x00007FF9D52AE000-memory.dmp

                        • memory/4448-123-0x000001B6A2740000-0x000001B6A4635000-memory.dmp

                        • memory/4448-118-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

                        • memory/4448-117-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

                        • memory/4448-116-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

                        • memory/4448-115-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

                        • memory/4448-114-0x00007FF67F260000-0x00007FF682816000-memory.dmp