Malware Analysis Report

2025-01-02 15:48

Sample ID 210722-gljxln4jb2
Target 0722_0237470224.xls
SHA256 76a26e4b4cd690fbf34db54af03d136428b81a9b6f0fb092fcb8c2afff092eb6
Tags
macro macro_on_action fickerstealer hancitor 2207_xwpi67 downloader infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76a26e4b4cd690fbf34db54af03d136428b81a9b6f0fb092fcb8c2afff092eb6

Threat Level: Known bad

The file 0722_0237470224.xls was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action fickerstealer hancitor 2207_xwpi67 downloader infostealer spyware stealer

Process spawned unexpected child process

Fickerstealer

Hancitor

Office macro that triggers on suspicious action

Downloads MZ/PE file

Blocklisted process makes network request

Suspicious Office macro

Loads dropped DLL

Reads local data of messenger clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-22 15:24

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-22 15:24

Reported

2021-07-22 15:26

Platform

win7v20210410

Max time kernel

147s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0722_0237470224.xls

Signatures

Fickerstealer

infostealer fickerstealer

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads local data of messenger clients

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1792 set thread context of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1792 wrote to memory of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1792 wrote to memory of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1792 wrote to memory of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1792 wrote to memory of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1792 wrote to memory of 684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0722_0237470224.xls

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.173.155:80 api.ipify.org tcp
N/A 8.8.8.8:53 tholeferli.com udp
N/A 194.147.115.74:80 tholeferli.com tcp
N/A 8.8.8.8:53 s0lom0n.ru udp
N/A 8.211.241.0:80 s0lom0n.ru tcp
N/A 23.21.173.155:80 api.ipify.org tcp
N/A 8.8.8.8:53 pospvisis.com udp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 194.147.115.74:80 tholeferli.com tcp

Files

memory/1052-60-0x000000002FEE1000-0x000000002FEE4000-memory.dmp

memory/1052-61-0x00000000711A1000-0x00000000711A3000-memory.dmp

memory/1052-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1792-63-0x0000000000000000-mapping.dmp

memory/1792-64-0x0000000075721000-0x0000000075723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/1792-70-0x0000000000250000-0x0000000000316000-memory.dmp

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/1792-71-0x0000000000250000-0x000000000025A000-memory.dmp

memory/1792-72-0x0000000000130000-0x0000000000131000-memory.dmp

memory/684-73-0x0000000000400000-0x0000000000448000-memory.dmp

memory/684-74-0x0000000000401480-mapping.dmp

memory/684-76-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1052-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-22 15:24

Reported

2021-07-22 15:26

Platform

win10v20210410

Max time kernel

147s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0722_0237470224.xls"

Signatures

Fickerstealer

infostealer fickerstealer

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads local data of messenger clients

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2372 set thread context of 748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{5FA5CCE2-CB3D-4E21-93A6-C7C1DC1557B6}\532.dll:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0722_0237470224.xls"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.78.40:80 api.ipify.org tcp
N/A 8.8.8.8:53 tholeferli.com udp
N/A 194.147.115.74:80 tholeferli.com tcp
N/A 8.8.8.8:53 s0lom0n.ru udp
N/A 8.211.241.0:80 s0lom0n.ru tcp
N/A 54.225.78.40:80 api.ipify.org tcp
N/A 8.8.8.8:53 pospvisis.com udp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 194.147.115.74:80 tholeferli.com tcp

Files

memory/3172-114-0x00007FF798500000-0x00007FF79BAB6000-memory.dmp

memory/3172-115-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-116-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-118-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-117-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-121-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-122-0x00007FFD56120000-0x00007FFD5720E000-memory.dmp

memory/3172-123-0x00007FFD54220000-0x00007FFD56115000-memory.dmp

memory/3960-281-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/2372-289-0x0000000000000000-mapping.dmp

memory/2372-293-0x0000000000D50000-0x0000000000E16000-memory.dmp

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/2372-294-0x0000000000D50000-0x0000000000D5A000-memory.dmp

memory/2372-295-0x0000000000D51000-0x0000000000D69000-memory.dmp

memory/2372-296-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/748-297-0x0000000000400000-0x0000000000448000-memory.dmp

memory/748-298-0x0000000000401480-mapping.dmp

memory/748-301-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3172-334-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-335-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-336-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

memory/3172-337-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp