Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 16:34
Static task
static1
Behavioral task
behavioral1
Sample
B6B2406B.xlsb
Resource
win7v20210410
General
-
Target
B6B2406B.xlsb
-
Size
399KB
-
MD5
9746382b9bd6beec5889ce3256dea9ef
-
SHA1
1d12104d6309d98565193337eb546943eaeea959
-
SHA256
205f42a518914e75620077ed79b9016b48f657d305ef892c6633fa6397463680
-
SHA512
cfcfa74c464fd67941f35711ec602256fe8fed0ae9b49634ef9d9794f5f92e55f765a4479dcb71241731df0d149a20b2064e6bba5b8bc3f5f8c9599ac152557c
Malware Config
Signatures
-
suricata: ET MALWARE Maldoc Retrieving Payload 2021-07-06
-
Processes:
resource yara_rule C:\Windows\Temp\sr2mq.exe cryptone C:\Windows\Temp\sr2mq.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
WMIC.exeflow pid process 32 504 WMIC.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
sr2mq.exepid process 852 sr2mq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3932 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 504 WMIC.exe Token: SeSecurityPrivilege 504 WMIC.exe Token: SeTakeOwnershipPrivilege 504 WMIC.exe Token: SeLoadDriverPrivilege 504 WMIC.exe Token: SeSystemProfilePrivilege 504 WMIC.exe Token: SeSystemtimePrivilege 504 WMIC.exe Token: SeProfSingleProcessPrivilege 504 WMIC.exe Token: SeIncBasePriorityPrivilege 504 WMIC.exe Token: SeCreatePagefilePrivilege 504 WMIC.exe Token: SeBackupPrivilege 504 WMIC.exe Token: SeRestorePrivilege 504 WMIC.exe Token: SeShutdownPrivilege 504 WMIC.exe Token: SeDebugPrivilege 504 WMIC.exe Token: SeSystemEnvironmentPrivilege 504 WMIC.exe Token: SeRemoteShutdownPrivilege 504 WMIC.exe Token: SeUndockPrivilege 504 WMIC.exe Token: SeManageVolumePrivilege 504 WMIC.exe Token: 33 504 WMIC.exe Token: 34 504 WMIC.exe Token: 35 504 WMIC.exe Token: 36 504 WMIC.exe Token: SeIncreaseQuotaPrivilege 504 WMIC.exe Token: SeSecurityPrivilege 504 WMIC.exe Token: SeTakeOwnershipPrivilege 504 WMIC.exe Token: SeLoadDriverPrivilege 504 WMIC.exe Token: SeSystemProfilePrivilege 504 WMIC.exe Token: SeSystemtimePrivilege 504 WMIC.exe Token: SeProfSingleProcessPrivilege 504 WMIC.exe Token: SeIncBasePriorityPrivilege 504 WMIC.exe Token: SeCreatePagefilePrivilege 504 WMIC.exe Token: SeBackupPrivilege 504 WMIC.exe Token: SeRestorePrivilege 504 WMIC.exe Token: SeShutdownPrivilege 504 WMIC.exe Token: SeDebugPrivilege 504 WMIC.exe Token: SeSystemEnvironmentPrivilege 504 WMIC.exe Token: SeRemoteShutdownPrivilege 504 WMIC.exe Token: SeUndockPrivilege 504 WMIC.exe Token: SeManageVolumePrivilege 504 WMIC.exe Token: 33 504 WMIC.exe Token: 34 504 WMIC.exe Token: 35 504 WMIC.exe Token: 36 504 WMIC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEmshta.EXEWMIC.exedescription pid process target process PID 3932 wrote to memory of 2892 3932 EXCEL.EXE splwow64.exe PID 3932 wrote to memory of 2892 3932 EXCEL.EXE splwow64.exe PID 1988 wrote to memory of 504 1988 mshta.EXE WMIC.exe PID 1988 wrote to memory of 504 1988 mshta.EXE WMIC.exe PID 504 wrote to memory of 852 504 WMIC.exe sr2mq.exe PID 504 wrote to memory of 852 504 WMIC.exe sr2mq.exe PID 504 wrote to memory of 852 504 WMIC.exe sr2mq.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\B6B2406B.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
\??\c:\windows\system32\mshta.EXEc:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qOtherSessionChanges.xsl"" & Chr(34)),0:close")1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qOtherSessionChanges.xsl"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\sr2mq.exe"C:\Windows\Temp\sr2mq.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qOtherSessionChanges.xslMD5
fde8ba6b6f6f06695ba8e05b7b76f065
SHA130c61a9ad4f6bc33a2ebe5b3a5615c16b478ec1a
SHA256abf29b8f7c858fcdabf46347fcdb62f497910f7360452ecf6a144214949b1157
SHA51210c60dfddbc31c1d70fddf189d88d3bbf689baa28b065d4a589b7ef2911ef04d5238cb581e89e478157ba8c2d6b812f09c8c1ebc62098a0d64b8181b35d4f28f
-
C:\Windows\Temp\sr2mq.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
C:\Windows\Temp\sr2mq.exeMD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b
SHA1d42d55cab8637f847efdc1a01bcd5bb2d4668b7d
SHA256b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6
SHA512c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6
-
memory/504-331-0x0000000000000000-mapping.dmp
-
memory/852-333-0x0000000000000000-mapping.dmp
-
memory/2892-260-0x0000000000000000-mapping.dmp
-
memory/3932-118-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-123-0x00000116A1F10000-0x00000116A3E05000-memory.dmpFilesize
31.0MB
-
memory/3932-122-0x00007FF9EFDA0000-0x00007FF9F0E8E000-memory.dmpFilesize
16.9MB
-
memory/3932-326-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-327-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-328-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-329-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-121-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-114-0x00007FF7F58C0000-0x00007FF7F8E76000-memory.dmpFilesize
53.7MB
-
memory/3932-117-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-116-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3932-115-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB