Malware Analysis Report

2025-01-02 15:43

Sample ID 210722-8tetwrbe9j
Target 83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee
SHA256 83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee
Tags
macro macro_on_action fickerstealer hancitor 2207_xwpi67 downloader infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee

Threat Level: Known bad

The file 83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action fickerstealer hancitor 2207_xwpi67 downloader infostealer spyware stealer

Fickerstealer

Process spawned unexpected child process

Hancitor

Downloads MZ/PE file

Blocklisted process makes network request

Office macro that triggers on suspicious action

Suspicious Office macro

Loads dropped DLL

Reads local data of messenger clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-22 14:56

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-22 14:56

Reported

2021-07-22 14:59

Platform

win7v20210408

Max time kernel

101s

Max time network

148s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee.xls

Signatures

Fickerstealer

infostealer fickerstealer

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads local data of messenger clients

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1268 set thread context of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1824 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1268 wrote to memory of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1268 wrote to memory of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1268 wrote to memory of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1268 wrote to memory of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1268 wrote to memory of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1268 wrote to memory of 348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee.xls

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.173.155:80 api.ipify.org tcp
N/A 8.8.8.8:53 tholeferli.com udp
N/A 194.147.115.74:80 tholeferli.com tcp
N/A 8.8.8.8:53 s0lom0n.ru udp
N/A 8.211.241.0:80 s0lom0n.ru tcp
N/A 23.21.173.155:80 api.ipify.org tcp
N/A 8.8.8.8:53 pospvisis.com udp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 95.213.179.67:80 pospvisis.com tcp

Files

memory/1824-59-0x000000002FA81000-0x000000002FA84000-memory.dmp

memory/1824-60-0x00000000714E1000-0x00000000714E3000-memory.dmp

memory/1824-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1268-62-0x0000000000000000-mapping.dmp

memory/1268-63-0x0000000075D51000-0x0000000075D53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/1268-69-0x0000000000720000-0x00000000007E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/1268-70-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1268-71-0x0000000000720000-0x000000000072A000-memory.dmp

memory/348-72-0x0000000000400000-0x0000000000448000-memory.dmp

memory/348-73-0x0000000000401480-mapping.dmp

memory/348-75-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1824-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-22 14:56

Reported

2021-07-22 14:59

Platform

win10v20210410

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee.xls"

Signatures

Fickerstealer

infostealer fickerstealer

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads local data of messenger clients

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 3948 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{FFD50F0E-8A56-4F45-BA14-AC5E1C641348}\532.dll:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee.xls"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.168.151:80 api.ipify.org tcp
N/A 8.8.8.8:53 tholeferli.com udp
N/A 194.147.115.74:80 tholeferli.com tcp
N/A 8.8.8.8:53 s0lom0n.ru udp
N/A 8.211.241.0:80 s0lom0n.ru tcp
N/A 23.21.168.151:80 api.ipify.org tcp
N/A 8.8.8.8:53 pospvisis.com udp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 194.147.115.74:80 tholeferli.com tcp

Files

memory/4012-114-0x00007FF7480F0000-0x00007FF74B6A6000-memory.dmp

memory/4012-115-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-116-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-117-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-118-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-121-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-122-0x00007FFF97700000-0x00007FFF987EE000-memory.dmp

memory/4012-123-0x0000020E0DF30000-0x0000020E0FE25000-memory.dmp

memory/2704-295-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/2176-301-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/2176-309-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

memory/2176-310-0x0000000002AF1000-0x0000000002B09000-memory.dmp

memory/2176-311-0x0000000000910000-0x0000000000911000-memory.dmp

memory/3948-312-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3948-313-0x0000000000401480-mapping.dmp

memory/3948-316-0x0000000000400000-0x0000000000448000-memory.dmp

memory/4012-348-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-349-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-350-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

memory/4012-351-0x00007FFF77040000-0x00007FFF77050000-memory.dmp