Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-07-2021 15:38
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 0198478.xlsb
Resource
win7v20210410
General
-
Target
Reciept 0198478.xlsb
-
Size
67KB
-
MD5
16b275e48c1d27c448b4ed772206315c
-
SHA1
317988ea2f7fa8fa288850adce94bf2543bbd8d0
-
SHA256
d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208
-
SHA512
518b238dee5d8f69ab2f09a92f7daf12613358b21bbc38247e6e9faa45470eb450815d7a094dddc0dfc8db7b4698da27e76480258c9b7feb61f0c73e1cf04c50
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\Temp\tu3py.exe cryptone C:\Windows\Temp\tu3py.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
WMIC.exeflow pid process 32 2428 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
tu3py.exepid process 2836 tu3py.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4448 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe Token: SeProfSingleProcessPrivilege 2428 WMIC.exe Token: SeIncBasePriorityPrivilege 2428 WMIC.exe Token: SeCreatePagefilePrivilege 2428 WMIC.exe Token: SeBackupPrivilege 2428 WMIC.exe Token: SeRestorePrivilege 2428 WMIC.exe Token: SeShutdownPrivilege 2428 WMIC.exe Token: SeDebugPrivilege 2428 WMIC.exe Token: SeSystemEnvironmentPrivilege 2428 WMIC.exe Token: SeRemoteShutdownPrivilege 2428 WMIC.exe Token: SeUndockPrivilege 2428 WMIC.exe Token: SeManageVolumePrivilege 2428 WMIC.exe Token: 33 2428 WMIC.exe Token: 34 2428 WMIC.exe Token: 35 2428 WMIC.exe Token: 36 2428 WMIC.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe Token: SeProfSingleProcessPrivilege 2428 WMIC.exe Token: SeIncBasePriorityPrivilege 2428 WMIC.exe Token: SeCreatePagefilePrivilege 2428 WMIC.exe Token: SeBackupPrivilege 2428 WMIC.exe Token: SeRestorePrivilege 2428 WMIC.exe Token: SeShutdownPrivilege 2428 WMIC.exe Token: SeDebugPrivilege 2428 WMIC.exe Token: SeSystemEnvironmentPrivilege 2428 WMIC.exe Token: SeRemoteShutdownPrivilege 2428 WMIC.exe Token: SeUndockPrivilege 2428 WMIC.exe Token: SeManageVolumePrivilege 2428 WMIC.exe Token: 33 2428 WMIC.exe Token: 34 2428 WMIC.exe Token: 35 2428 WMIC.exe Token: 36 2428 WMIC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
mshta.EXEWMIC.exedescription pid process target process PID 2060 wrote to memory of 2428 2060 mshta.EXE WMIC.exe PID 2060 wrote to memory of 2428 2060 mshta.EXE WMIC.exe PID 2428 wrote to memory of 2836 2428 WMIC.exe tu3py.exe PID 2428 wrote to memory of 2836 2428 WMIC.exe tu3py.exe PID 2428 wrote to memory of 2836 2428 WMIC.exe tu3py.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 0198478.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\mshta.EXEc:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogSeriesAxes.xsl"" & Chr(34)),0:close")1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogSeriesAxes.xsl"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\tu3py.exe"C:\Windows\Temp\tu3py.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qDialogSeriesAxes.xslMD5
ed9a97566e5179a4793dad89b79f3c8b
SHA13aba6229322c12118a7999b35387045159429078
SHA256c6ce5cf41a799c6c427a8facae15fa9ac40eb3562132189c72e1398178c74981
SHA51208f827a3bea007feae33e69f43a09cfcb08f0f636d1eab3d937203bad63d94cd9f99312f162cefb1217e115d5ae3985b6202f2b773212134c540e01fe2d071f1
-
C:\Windows\Temp\tu3py.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
C:\Windows\Temp\tu3py.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
memory/2428-179-0x0000000000000000-mapping.dmp
-
memory/2836-181-0x0000000000000000-mapping.dmp
-
memory/4448-117-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4448-122-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4448-123-0x000001B6A2740000-0x000001B6A4635000-memory.dmpFilesize
31.0MB
-
memory/4448-121-0x00007FF9D41C0000-0x00007FF9D52AE000-memory.dmpFilesize
16.9MB
-
memory/4448-118-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4448-114-0x00007FF67F260000-0x00007FF682816000-memory.dmpFilesize
53.7MB
-
memory/4448-116-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4448-115-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB