Analysis
-
max time kernel
159s -
max time network
86s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 02:14
Behavioral task
behavioral1
Sample
Cybermesa_Electronic_form_Dt_05.19.2022_US.xls
Resource
win10-20220414-en
General
-
Target
Cybermesa_Electronic_form_Dt_05.19.2022_US.xls
-
Size
80KB
-
MD5
3860f9ae3ac20b34505cd0783dae29a0
-
SHA1
5173d04e3eec3e6300e099cb45e11d75e94cd566
-
SHA256
182a584e336ad66f0013091d4958702c4abc83f3d02156d535c24410c57ba484
-
SHA512
40dd7f750bf1cf3a18ab93797c36506a4ee057b8b95b617133e2f892e68fc4acdf0e81c4883e753d5c56323314d162c9bdfd48c1b224fdb0d279fd4a8d8e4061
Malware Config
Extracted
https://nandonikwebdesign.com/OWs/
https://gelish.com/email-hog/YXaPiWbFMKT/
http://nutensport-wezep.nl/wp-includes/QyezZmBmTL8AulMVv0oh/
http://omeryener.com.tr/wp-admin/oakwcoWufii0JR89G/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3956 3984 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3688 3984 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3924 3984 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 924 3984 regsvr32.exe EXCEL.EXE -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 3984 EXCEL.EXE -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\A7475E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3984 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
taskmgr.exepid process 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
EXCEL.EXEpid process 3984 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 4004 taskmgr.exe Token: SeSystemProfilePrivilege 4004 taskmgr.exe Token: SeCreateGlobalPrivilege 4004 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
taskmgr.exepid process 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
taskmgr.exepid process 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe 4004 taskmgr.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE 3984 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3984 wrote to memory of 3956 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 3956 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 3688 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 3688 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 3924 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 3924 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 924 3984 EXCEL.EXE regsvr32.exe PID 3984 wrote to memory of 924 3984 EXCEL.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cybermesa_Electronic_form_Dt_05.19.2022_US.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soam1.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soam2.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soam3.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soam4.dll2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\soam1.dllFilesize
3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a
-
C:\Users\Admin\soam3.dllFilesize
3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a
-
C:\Users\Admin\soam4.dllFilesize
3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a
-
memory/924-269-0x0000000000000000-mapping.dmp
-
memory/3688-266-0x0000000000000000-mapping.dmp
-
memory/3924-267-0x0000000000000000-mapping.dmp
-
memory/3956-264-0x0000000000000000-mapping.dmp
-
memory/3984-131-0x00007FFC87320000-0x00007FFC87330000-memory.dmpFilesize
64KB
-
memory/3984-130-0x00007FFC87320000-0x00007FFC87330000-memory.dmpFilesize
64KB
-
memory/3984-118-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-121-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-120-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-119-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-323-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-324-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-325-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB
-
memory/3984-326-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmpFilesize
64KB