Analysis
-
max time kernel
148s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-07-2021 15:05
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 9133447.xlsb
Resource
win7v20210410
General
-
Target
Reciept 9133447.xlsb
-
Size
67KB
-
MD5
c44c8e5c2b7ed4b597557bf12cc279c4
-
SHA1
bf99994ffb3cd21635e1ef7f09e773e48068d3c1
-
SHA256
e9157e32da346917b0092b432ede9945fa6d86ceccc07e0afa1e33826a3fecab
-
SHA512
694058e46ac7b324e4df54e11ceba4ed92a40878f934f9369059905acc264d48c3ec888f52e7fb20e8931d62b0a22121efdf13167da8fe82b512d90ecdc77233
Malware Config
Extracted
cobaltstrike
1359593325
http://94.198.40.11:80/visit.js
-
access_type
512
-
host
94.198.40.11,/visit.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Processes:
resource yara_rule C:\Windows\Temp\ea2mx.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
WMIC.exeflow pid process 6 1156 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
ea2mx.exepid process 1332 ea2mx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2036 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1156 WMIC.exe Token: SeSecurityPrivilege 1156 WMIC.exe Token: SeTakeOwnershipPrivilege 1156 WMIC.exe Token: SeLoadDriverPrivilege 1156 WMIC.exe Token: SeSystemProfilePrivilege 1156 WMIC.exe Token: SeSystemtimePrivilege 1156 WMIC.exe Token: SeProfSingleProcessPrivilege 1156 WMIC.exe Token: SeIncBasePriorityPrivilege 1156 WMIC.exe Token: SeCreatePagefilePrivilege 1156 WMIC.exe Token: SeBackupPrivilege 1156 WMIC.exe Token: SeRestorePrivilege 1156 WMIC.exe Token: SeShutdownPrivilege 1156 WMIC.exe Token: SeDebugPrivilege 1156 WMIC.exe Token: SeSystemEnvironmentPrivilege 1156 WMIC.exe Token: SeRemoteShutdownPrivilege 1156 WMIC.exe Token: SeUndockPrivilege 1156 WMIC.exe Token: SeManageVolumePrivilege 1156 WMIC.exe Token: 33 1156 WMIC.exe Token: 34 1156 WMIC.exe Token: 35 1156 WMIC.exe Token: SeIncreaseQuotaPrivilege 1156 WMIC.exe Token: SeSecurityPrivilege 1156 WMIC.exe Token: SeTakeOwnershipPrivilege 1156 WMIC.exe Token: SeLoadDriverPrivilege 1156 WMIC.exe Token: SeSystemProfilePrivilege 1156 WMIC.exe Token: SeSystemtimePrivilege 1156 WMIC.exe Token: SeProfSingleProcessPrivilege 1156 WMIC.exe Token: SeIncBasePriorityPrivilege 1156 WMIC.exe Token: SeCreatePagefilePrivilege 1156 WMIC.exe Token: SeBackupPrivilege 1156 WMIC.exe Token: SeRestorePrivilege 1156 WMIC.exe Token: SeShutdownPrivilege 1156 WMIC.exe Token: SeDebugPrivilege 1156 WMIC.exe Token: SeSystemEnvironmentPrivilege 1156 WMIC.exe Token: SeRemoteShutdownPrivilege 1156 WMIC.exe Token: SeUndockPrivilege 1156 WMIC.exe Token: SeManageVolumePrivilege 1156 WMIC.exe Token: 33 1156 WMIC.exe Token: 34 1156 WMIC.exe Token: 35 1156 WMIC.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 2036 EXCEL.EXE 2036 EXCEL.EXE 2036 EXCEL.EXE 2036 EXCEL.EXE 2036 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
taskeng.exemshta.EXEWMIC.exedescription pid process target process PID 1964 wrote to memory of 1304 1964 taskeng.exe mshta.EXE PID 1964 wrote to memory of 1304 1964 taskeng.exe mshta.EXE PID 1964 wrote to memory of 1304 1964 taskeng.exe mshta.EXE PID 1304 wrote to memory of 1156 1304 mshta.EXE WMIC.exe PID 1304 wrote to memory of 1156 1304 mshta.EXE WMIC.exe PID 1304 wrote to memory of 1156 1304 mshta.EXE WMIC.exe PID 1156 wrote to memory of 1332 1156 WMIC.exe ea2mx.exe PID 1156 wrote to memory of 1332 1156 WMIC.exe ea2mx.exe PID 1156 wrote to memory of 1332 1156 WMIC.exe ea2mx.exe PID 1156 wrote to memory of 1332 1156 WMIC.exe ea2mx.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 9133447.xlsb"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {F537491F-4D26-452F-B995-93F1B42A9107} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.EXEC:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogOptionsCalculation.xsl"" & Chr(34)),0:close")2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogOptionsCalculation.xsl"3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\ea2mx.exe"C:\Windows\Temp\ea2mx.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qDialogOptionsCalculation.xslMD5
620bf55623214f88f930947072f5f85e
SHA1e6d49a4bad59023d69653186a8193340d4b54adb
SHA256144d5d7cc423e850a7ae9599fffeaed84e9ee5a882330f38a295381fe5263c7b
SHA51287a8443c3477dcd3cc1a3ddfc1ce53031e1bcc82ee141946ef1da944c60207e22798efe625fef19cbd66a10f44972f3e2626166b9953f4b18608bbd3996e91e1
-
C:\Windows\Temp\ea2mx.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
memory/1156-65-0x0000000000000000-mapping.dmp
-
memory/1304-63-0x0000000000000000-mapping.dmp
-
memory/1304-64-0x000007FEFC471000-0x000007FEFC473000-memory.dmpFilesize
8KB
-
memory/1332-67-0x0000000000000000-mapping.dmp
-
memory/1332-69-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1332-70-0x0000000000220000-0x0000000000267000-memory.dmpFilesize
284KB
-
memory/1332-71-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1332-72-0x0000000000360000-0x0000000000393000-memory.dmpFilesize
204KB
-
memory/1332-73-0x0000000000460000-0x000000000049D000-memory.dmpFilesize
244KB
-
memory/2036-60-0x000000002F0D1000-0x000000002F0D4000-memory.dmpFilesize
12KB
-
memory/2036-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2036-61-0x0000000071C71000-0x0000000071C73000-memory.dmpFilesize
8KB