Overview

overview

10

Static

static

8

Cybermesa_...US.xls

windows10_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    86s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    21-05-2022 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cybermesa_Electronic_form_Dt_05.19.2022_US.xls

  • Size

    80KB

  • MD5

    3860f9ae3ac20b34505cd0783dae29a0

  • SHA1

    5173d04e3eec3e6300e099cb45e11d75e94cd566

  • SHA256

    182a584e336ad66f0013091d4958702c4abc83f3d02156d535c24410c57ba484

  • SHA512

    40dd7f750bf1cf3a18ab93797c36506a4ee057b8b95b617133e2f892e68fc4acdf0e81c4883e753d5c56323314d162c9bdfd48c1b224fdb0d279fd4a8d8e4061

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://nandonikwebdesign.com/OWs/
xlm40.dropper

https://gelish.com/email-hog/YXaPiWbFMKT/
xlm40.dropper

http://nutensport-wezep.nl/wp-includes/QyezZmBmTL8AulMVv0oh/
xlm40.dropper

http://omeryener.com.tr/wp-admin/oakwcoWufii0JR89G/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cybermesa_Electronic_form_Dt_05.19.2022_US.xls"
    1⤵
    • Deletes itself
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soam1.dll
      2⤵
      • Process spawned unexpected child process
      PID:3956
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soam2.dll
      2⤵
      • Process spawned unexpected child process
      PID:3688
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soam3.dll
      2⤵
      • Process spawned unexpected child process
      PID:3924
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soam4.dll
      2⤵
      • Process spawned unexpected child process
      PID:924
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1660
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4004

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\soam1.dll
      Filesize

      3B

      MD5

      8a80554c91d9fca8acb82f023de02f11

      SHA1

      5f36b2ea290645ee34d943220a14b54ee5ea5be5

      SHA256

      ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

      SHA512

      ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

      Download Submit
    • C:\Users\Admin\soam3.dll
      Filesize

      3B

      MD5

      8a80554c91d9fca8acb82f023de02f11

      SHA1

      5f36b2ea290645ee34d943220a14b54ee5ea5be5

      SHA256

      ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

      SHA512

      ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

      Download Submit
    • C:\Users\Admin\soam4.dll
      Filesize

      3B

      MD5

      8a80554c91d9fca8acb82f023de02f11

      SHA1

      5f36b2ea290645ee34d943220a14b54ee5ea5be5

      SHA256

      ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

      SHA512

      ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

      Download Submit
    • memory/924-269-0x0000000000000000-mapping.dmp
      Download
    • memory/3688-266-0x0000000000000000-mapping.dmp
      Download
    • memory/3924-267-0x0000000000000000-mapping.dmp
      Download
    • memory/3956-264-0x0000000000000000-mapping.dmp
      Download
    • memory/3984-131-0x00007FFC87320000-0x00007FFC87330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-130-0x00007FFC87320000-0x00007FFC87330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-118-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-121-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-120-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-119-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-323-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-324-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-325-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-326-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp
      Filesize

      64KB

      Download