Analysis Overview
SHA256
4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc
Threat Level: Known bad
The file 20210722_181212_4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc_0722_0218087385.xls was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
suricata: ET MALWARE Win32/Ficker Stealer Activity
Hancitor
Process spawned unexpected child process
Fickerstealer
Suspicious Office macro
Office macro that triggers on suspicious action
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Reads local data of messenger clients
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-22 18:14
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-22 18:14
Reported
2021-07-22 18:16
Platform
win10v20210410
Max time kernel
90s
Max time network
121s
Command Line
Signatures
Fickerstealer
Hancitor
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
suricata: ET MALWARE Win32/Ficker Stealer Activity
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads local data of messenger clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 800 set thread context of 3600 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\svchost.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{ADC2D3E7-CF49-49D8-BC83-961301977675}\532.dll:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\20210722_181212_4def76cfce8a580cec033f3a4771810de7cff54191f57dd58fea550c39fda8dc_0722_0218087385.xls"
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB
C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.245.108:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | tholeferli.com | udp |
| N/A | 194.147.115.74:80 | tholeferli.com | tcp |
| N/A | 8.8.8.8:53 | s0lom0n.ru | udp |
| N/A | 8.211.241.0:80 | s0lom0n.ru | tcp |
| N/A | 54.225.245.108:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | pospvisis.com | udp |
| N/A | 95.213.179.67:80 | pospvisis.com | tcp |
| N/A | 95.213.179.67:80 | pospvisis.com | tcp |
Files
memory/3904-114-0x00007FF694F90000-0x00007FF698546000-memory.dmp
memory/3904-115-0x00007FF824490000-0x00007FF8244A0000-memory.dmp
memory/3904-116-0x00007FF824490000-0x00007FF8244A0000-memory.dmp
memory/3904-117-0x00007FF824490000-0x00007FF8244A0000-memory.dmp
memory/3904-118-0x00007FF824490000-0x00007FF8244A0000-memory.dmp
memory/3904-121-0x00007FF824490000-0x00007FF8244A0000-memory.dmp
memory/3904-122-0x00007FF844E60000-0x00007FF845F4E000-memory.dmp
memory/3904-123-0x00007FF842F60000-0x00007FF844E55000-memory.dmp
memory/1244-293-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\omsh.dll
| MD5 | 7348620f737ec1b0997cae7548344f2c |
| SHA1 | 5550f62fdc0963c331b460f8a967c45d481e505a |
| SHA256 | 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd |
| SHA512 | 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6 |
memory/800-300-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\omsh.dll
| MD5 | 7348620f737ec1b0997cae7548344f2c |
| SHA1 | 5550f62fdc0963c331b460f8a967c45d481e505a |
| SHA256 | 8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd |
| SHA512 | 568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6 |
memory/800-307-0x0000000001000000-0x000000000100A000-memory.dmp
memory/800-308-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/3600-309-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3600-310-0x0000000000401480-mapping.dmp
memory/3600-313-0x0000000000400000-0x0000000000448000-memory.dmp