Analysis
-
max time kernel
102s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-08-2021 14:58
Behavioral task
behavioral1
Sample
Invoice_Due-IN-244701726_20210823.xlsb
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Invoice_Due-IN-244701726_20210823.xlsb
Resource
win10v20210408
General
-
Target
Invoice_Due-IN-244701726_20210823.xlsb
-
Size
173KB
-
MD5
7616efd9d10fd2c8d2b9f313410dc8e1
-
SHA1
9211184df686b4f870d1e615c98a1e0629273b3f
-
SHA256
068eb2b690144b1a9aef6a1f93c41d1b7c7f804d172124199e20952fe0b6d5be
-
SHA512
98978d380d766b5291619f2bfe0523348371bce619b1599fd0a31b7fb790c44bdb5bbdac695f296ad4b7f5ea37a52ff6f9a5cfacd5726140611cac1edca0efa5
Malware Config
Extracted
cobaltstrike
1359593325
http://37.120.206.118:80/push
-
access_type
512
-
host
37.120.206.118,/push
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET4.0C; .NET4.0E)
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1388 1816 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 1632 mshta.exe -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 7 968 mshta.exe 9 968 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
SPInf.exepid process 1388 SPInf.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exemshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1816 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1388 wmic.exe Token: SeSecurityPrivilege 1388 wmic.exe Token: SeTakeOwnershipPrivilege 1388 wmic.exe Token: SeLoadDriverPrivilege 1388 wmic.exe Token: SeSystemProfilePrivilege 1388 wmic.exe Token: SeSystemtimePrivilege 1388 wmic.exe Token: SeProfSingleProcessPrivilege 1388 wmic.exe Token: SeIncBasePriorityPrivilege 1388 wmic.exe Token: SeCreatePagefilePrivilege 1388 wmic.exe Token: SeBackupPrivilege 1388 wmic.exe Token: SeRestorePrivilege 1388 wmic.exe Token: SeShutdownPrivilege 1388 wmic.exe Token: SeDebugPrivilege 1388 wmic.exe Token: SeSystemEnvironmentPrivilege 1388 wmic.exe Token: SeRemoteShutdownPrivilege 1388 wmic.exe Token: SeUndockPrivilege 1388 wmic.exe Token: SeManageVolumePrivilege 1388 wmic.exe Token: 33 1388 wmic.exe Token: 34 1388 wmic.exe Token: 35 1388 wmic.exe Token: SeIncreaseQuotaPrivilege 1388 wmic.exe Token: SeSecurityPrivilege 1388 wmic.exe Token: SeTakeOwnershipPrivilege 1388 wmic.exe Token: SeLoadDriverPrivilege 1388 wmic.exe Token: SeSystemProfilePrivilege 1388 wmic.exe Token: SeSystemtimePrivilege 1388 wmic.exe Token: SeProfSingleProcessPrivilege 1388 wmic.exe Token: SeIncBasePriorityPrivilege 1388 wmic.exe Token: SeCreatePagefilePrivilege 1388 wmic.exe Token: SeBackupPrivilege 1388 wmic.exe Token: SeRestorePrivilege 1388 wmic.exe Token: SeShutdownPrivilege 1388 wmic.exe Token: SeDebugPrivilege 1388 wmic.exe Token: SeSystemEnvironmentPrivilege 1388 wmic.exe Token: SeRemoteShutdownPrivilege 1388 wmic.exe Token: SeUndockPrivilege 1388 wmic.exe Token: SeManageVolumePrivilege 1388 wmic.exe Token: 33 1388 wmic.exe Token: 34 1388 wmic.exe Token: 35 1388 wmic.exe Token: SeIncreaseQuotaPrivilege 1584 wmic.exe Token: SeSecurityPrivilege 1584 wmic.exe Token: SeTakeOwnershipPrivilege 1584 wmic.exe Token: SeLoadDriverPrivilege 1584 wmic.exe Token: SeSystemProfilePrivilege 1584 wmic.exe Token: SeSystemtimePrivilege 1584 wmic.exe Token: SeProfSingleProcessPrivilege 1584 wmic.exe Token: SeIncBasePriorityPrivilege 1584 wmic.exe Token: SeCreatePagefilePrivilege 1584 wmic.exe Token: SeBackupPrivilege 1584 wmic.exe Token: SeRestorePrivilege 1584 wmic.exe Token: SeShutdownPrivilege 1584 wmic.exe Token: SeDebugPrivilege 1584 wmic.exe Token: SeSystemEnvironmentPrivilege 1584 wmic.exe Token: SeRemoteShutdownPrivilege 1584 wmic.exe Token: SeUndockPrivilege 1584 wmic.exe Token: SeManageVolumePrivilege 1584 wmic.exe Token: 33 1584 wmic.exe Token: 34 1584 wmic.exe Token: 35 1584 wmic.exe Token: SeIncreaseQuotaPrivilege 1584 wmic.exe Token: SeSecurityPrivilege 1584 wmic.exe Token: SeTakeOwnershipPrivilege 1584 wmic.exe Token: SeLoadDriverPrivilege 1584 wmic.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
EXCEL.EXEpid process 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE 1816 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEmshta.exemshta.exedescription pid process target process PID 1816 wrote to memory of 1388 1816 EXCEL.EXE wmic.exe PID 1816 wrote to memory of 1388 1816 EXCEL.EXE wmic.exe PID 1816 wrote to memory of 1388 1816 EXCEL.EXE wmic.exe PID 1816 wrote to memory of 1388 1816 EXCEL.EXE wmic.exe PID 968 wrote to memory of 324 968 mshta.exe mshta.exe PID 968 wrote to memory of 324 968 mshta.exe mshta.exe PID 968 wrote to memory of 324 968 mshta.exe mshta.exe PID 324 wrote to memory of 1584 324 mshta.exe wmic.exe PID 324 wrote to memory of 1584 324 mshta.exe wmic.exe PID 324 wrote to memory of 1584 324 mshta.exe wmic.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_Due-IN-244701726_20210823.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\Amzwu.sct'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\Amzwu.sct1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta C:\\ProgramData\SPInf.sct2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic process call create "C:\\ProgramData\SPInf.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\SPInf.exeC:\\ProgramData\SPInf.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Amzwu.sctMD5
b654b5c15cdc20afaa5c424b704bcfaf
SHA14ba1fb25be4fcfd2ab8448da449b28dff17d813a
SHA256cb1a5d21d5577a633f2687ecec0e7cf841747f720fe0d1c3c2311a0de039382d
SHA512d15f98d026a26d24a019bf2958a346feb77705ee2c6f80d3b971899a135436437850a48e3daff7903c117ec14350a3ce20e631d4ff7ad457b2e7e326f33d7d92
-
C:\ProgramData\SPInf.exeMD5
f22083e11a7c34c3ddd3726f65fb3939
SHA11d529d5f0e330f5fc485699f3bc67c918619da67
SHA256316f938abb63266eb410087f7f4b20e987cb9a8be1e385e95c420d96c9ac6f76
SHA512c27c2f82f574d0db400ca26ce7663d77c8d21a14a52ea7a35e37842d36e9f176fcf17357106a5050cb2d11de930ddddc8e6f2c09d9b3f63932e0b5ca3359102a
-
C:\ProgramData\SPInf.sctMD5
d6f3ca63c2312ba35dd40622d484841e
SHA163c60d6b04c85c48b3a0099611de8573baf541ec
SHA2567a983eb19550a1e88eb2342f8c44bc63f08f3e0f8c2b6cd05f050704ba0a5879
SHA512f9cd044cbcc705963470c8ed22793593b7b18afd388418e2a925dd14cd6f0070449e46cb35141e74287256a09b16fcc3c988eaac8dd05002ae593f1252a08f7d
-
memory/324-65-0x0000000000000000-mapping.dmp
-
memory/1388-63-0x0000000000000000-mapping.dmp
-
memory/1388-69-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1388-70-0x0000000000290000-0x0000000000297000-memory.dmpFilesize
28KB
-
memory/1388-71-0x00000000002F0000-0x0000000000323000-memory.dmpFilesize
204KB
-
memory/1388-72-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1388-73-0x0000000000880000-0x00000000008BD000-memory.dmpFilesize
244KB
-
memory/1584-67-0x0000000000000000-mapping.dmp
-
memory/1816-60-0x000000002FAB1000-0x000000002FAB4000-memory.dmpFilesize
12KB
-
memory/1816-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1816-61-0x0000000070E41000-0x0000000070E43000-memory.dmpFilesize
8KB
-
memory/1816-74-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB