Malware Analysis Report

2025-01-02 15:49

Sample ID 210722-r5b5mwb12n
Target 20210722_181212_4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc_0722_0218087385.xls
SHA256 4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc
Tags
macro macro_on_action fickerstealer hancitor 2207_xwpi67 downloader infostealer spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc

Threat Level: Known bad

The file 20210722_181212_4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc_0722_0218087385.xls was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action fickerstealer hancitor 2207_xwpi67 downloader infostealer spyware stealer suricata

suricata: ET MALWARE Win32/Ficker Stealer Activity M3

suricata: ET MALWARE Win32/Ficker Stealer Activity

Hancitor

Process spawned unexpected child process

Fickerstealer

Suspicious Office macro

Office macro that triggers on suspicious action

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Reads local data of messenger clients

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-22 18:14

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-22 18:14

Reported

2021-07-22 18:16

Platform

win10v20210410

Max time kernel

90s

Max time network

121s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\20210722_181212_4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc_0722_0218087385.xls"

Signatures

Fickerstealer

infostealer fickerstealer

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

suricata: ET MALWARE Win32/Ficker Stealer Activity

suricata

suricata: ET MALWARE Win32/Ficker Stealer Activity M3

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads local data of messenger clients

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 800 set thread context of 3600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{ADC2D3E7-CF49-49D8-BC83-961301977675}\532.dll:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\20210722_181212_4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc_0722_0218087385.xls"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.245.108:80 api.ipify.org tcp
N/A 8.8.8.8:53 tholeferli.com udp
N/A 194.147.115.74:80 tholeferli.com tcp
N/A 8.8.8.8:53 s0lom0n.ru udp
N/A 8.211.241.0:80 s0lom0n.ru tcp
N/A 54.225.245.108:80 api.ipify.org tcp
N/A 8.8.8.8:53 pospvisis.com udp
N/A 95.213.179.67:80 pospvisis.com tcp
N/A 95.213.179.67:80 pospvisis.com tcp

Files

memory/3904-114-0x00007FF694F90000-0x00007FF698546000-memory.dmp

memory/3904-115-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

memory/3904-116-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

memory/3904-117-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

memory/3904-118-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

memory/3904-121-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

memory/3904-122-0x00007FF844E60000-0x00007FF845F4E000-memory.dmp

memory/3904-123-0x00007FF842F60000-0x00007FF844E55000-memory.dmp

memory/1244-293-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/800-300-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\omsh.dll

MD5 7348620f737ec1b0997cae7548344f2c
SHA1 5550f62fdc0963c331b460f8a967c45d481e505a
SHA256 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
SHA512 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

memory/800-307-0x0000000001000000-0x000000000100A000-memory.dmp

memory/800-308-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/3600-309-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3600-310-0x0000000000401480-mapping.dmp

memory/3600-313-0x0000000000400000-0x0000000000448000-memory.dmp