Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-07-2021 15:05
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 9133447.xlsb
Resource
win7v20210410
General
-
Target
Reciept 9133447.xlsb
-
Size
67KB
-
MD5
c44c8e5c2b7ed4b597557bf12cc279c4
-
SHA1
bf99994ffb3cd21635e1ef7f09e773e48068d3c1
-
SHA256
e9157e32da346917b0092b432ede9945fa6d86ceccc07e0afa1e33826a3fecab
-
SHA512
694058e46ac7b324e4df54e11ceba4ed92a40878f934f9369059905acc264d48c3ec888f52e7fb20e8931d62b0a22121efdf13167da8fe82b512d90ecdc77233
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\Temp\98svw.exe cryptone C:\Windows\Temp\98svw.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
WMIC.exeflow pid process 33 1704 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
98svw.exepid process 2700 98svw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4432 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1704 WMIC.exe Token: SeSecurityPrivilege 1704 WMIC.exe Token: SeTakeOwnershipPrivilege 1704 WMIC.exe Token: SeLoadDriverPrivilege 1704 WMIC.exe Token: SeSystemProfilePrivilege 1704 WMIC.exe Token: SeSystemtimePrivilege 1704 WMIC.exe Token: SeProfSingleProcessPrivilege 1704 WMIC.exe Token: SeIncBasePriorityPrivilege 1704 WMIC.exe Token: SeCreatePagefilePrivilege 1704 WMIC.exe Token: SeBackupPrivilege 1704 WMIC.exe Token: SeRestorePrivilege 1704 WMIC.exe Token: SeShutdownPrivilege 1704 WMIC.exe Token: SeDebugPrivilege 1704 WMIC.exe Token: SeSystemEnvironmentPrivilege 1704 WMIC.exe Token: SeRemoteShutdownPrivilege 1704 WMIC.exe Token: SeUndockPrivilege 1704 WMIC.exe Token: SeManageVolumePrivilege 1704 WMIC.exe Token: 33 1704 WMIC.exe Token: 34 1704 WMIC.exe Token: 35 1704 WMIC.exe Token: 36 1704 WMIC.exe Token: SeIncreaseQuotaPrivilege 1704 WMIC.exe Token: SeSecurityPrivilege 1704 WMIC.exe Token: SeTakeOwnershipPrivilege 1704 WMIC.exe Token: SeLoadDriverPrivilege 1704 WMIC.exe Token: SeSystemProfilePrivilege 1704 WMIC.exe Token: SeSystemtimePrivilege 1704 WMIC.exe Token: SeProfSingleProcessPrivilege 1704 WMIC.exe Token: SeIncBasePriorityPrivilege 1704 WMIC.exe Token: SeCreatePagefilePrivilege 1704 WMIC.exe Token: SeBackupPrivilege 1704 WMIC.exe Token: SeRestorePrivilege 1704 WMIC.exe Token: SeShutdownPrivilege 1704 WMIC.exe Token: SeDebugPrivilege 1704 WMIC.exe Token: SeSystemEnvironmentPrivilege 1704 WMIC.exe Token: SeRemoteShutdownPrivilege 1704 WMIC.exe Token: SeUndockPrivilege 1704 WMIC.exe Token: SeManageVolumePrivilege 1704 WMIC.exe Token: 33 1704 WMIC.exe Token: 34 1704 WMIC.exe Token: 35 1704 WMIC.exe Token: 36 1704 WMIC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
mshta.EXEWMIC.exedescription pid process target process PID 1428 wrote to memory of 1704 1428 mshta.EXE WMIC.exe PID 1428 wrote to memory of 1704 1428 mshta.EXE WMIC.exe PID 1704 wrote to memory of 2700 1704 WMIC.exe 98svw.exe PID 1704 wrote to memory of 2700 1704 WMIC.exe 98svw.exe PID 1704 wrote to memory of 2700 1704 WMIC.exe 98svw.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Reciept 9133447.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\mshta.EXEc:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogOptionsCalculation.xsl"" & Chr(34)),0:close")1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogOptionsCalculation.xsl"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\98svw.exe"C:\Windows\Temp\98svw.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qDialogOptionsCalculation.xslMD5
620bf55623214f88f930947072f5f85e
SHA1e6d49a4bad59023d69653186a8193340d4b54adb
SHA256144d5d7cc423e850a7ae9599fffeaed84e9ee5a882330f38a295381fe5263c7b
SHA51287a8443c3477dcd3cc1a3ddfc1ce53031e1bcc82ee141946ef1da944c60207e22798efe625fef19cbd66a10f44972f3e2626166b9953f4b18608bbd3996e91e1
-
C:\Windows\Temp\98svw.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
C:\Windows\Temp\98svw.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
memory/1704-179-0x0000000000000000-mapping.dmp
-
memory/2700-181-0x0000000000000000-mapping.dmp
-
memory/4432-118-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4432-121-0x00007FF9D4FA0000-0x00007FF9D608E000-memory.dmpFilesize
16.9MB
-
memory/4432-123-0x00007FF9D30A0000-0x00007FF9D4F95000-memory.dmpFilesize
31.0MB
-
memory/4432-122-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4432-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4432-114-0x00007FF6FCF40000-0x00007FF7004F6000-memory.dmpFilesize
53.7MB
-
memory/4432-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4432-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB