Analysis Overview
SHA256
d3e6f290c2bb3453ca9c6eca018c3256d5a4e0e8bf3ab26316d904f3dfa82c23
Threat Level: Known bad
The file StolenImagesEvidence.xlsm was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Modifies WinLogon for persistence
Buer
Executes dropped EXE
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Program crash
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Script User-Agent
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
NTFS ADS
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Launches Equation Editor
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-06-30 02:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-06-30 02:04
Reported
2020-06-30 02:06
Platform
win7
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\42a9a9fda9eb1654f552\\gennt.exe\"" | C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\cscript.exe | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\cscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\honey.exe | N/A |
| N/A | N/A | C:\ProgramData\honey.exe | N/A |
| N/A | N/A | C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe | N/A |
| N/A | N/A | C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\ProgramData\honey.exe | N/A |
| N/A | N/A | C:\ProgramData\honey.exe | N/A |
| N/A | N/A | C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe | N/A |
| N/A | N/A | C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\secinit.exe |
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{536913E1-BA76-11EA-BBCA-D6F86DC1AE1E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\programdata\asc.txt:script1.vbs | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Windows\SysWOW64\cmd.exe
cmd /c ren %tmp%\mm v&WSCRIPT %tmp%\v?..wsf C
C:\Windows\SysWOW64\wscript.exe
WSCRIPT C:\Users\Admin\AppData\Local\Temp\v?..wsf C
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
C:\programdata\honey.exe
C:\programdata\honey.exe
C:\ProgramData\honey.exe
"C:\ProgramData\honey.exe"
C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe "C:\ProgramData\honey.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 280
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\42a9a9fda9eb1654f552}"
C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | medoslon.top | udp |
| N/A | 172.67.203.95:80 | medoslon.top | tcp |
| N/A | 172.67.203.95:80 | medoslon.top | tcp |
| N/A | 8.8.8.8:53 | mesoplano.com | udp |
| N/A | 84.38.180.246:443 | mesoplano.com | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
| N/A | 84.38.180.246:443 | mesoplano.com | tcp |
| N/A | 84.38.180.246:443 | mesoplano.com | tcp |
| N/A | 84.38.180.246:443 | mesoplano.com | tcp |
| N/A | 8.8.8.8:53 | go.microsoft.com | udp |
| N/A | 8.8.8.8:53 | df1.kamalak.at | udp |
| N/A | 8.209.73.71:80 | df1.kamalak.at | tcp |
| N/A | 8.209.73.71:80 | df1.kamalak.at | tcp |
Files
memory/836-0-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mm
| MD5 | 173309b93b0a0f138d015f465f4d8a1b |
| SHA1 | 7df3563be2296fea9bf66350a09d79168e73247b |
| SHA256 | ac5a437cfe1ea4156a9d8cfe4a36417dec046338a91532dfb837890d31340a08 |
| SHA512 | e128dc628f5647c34a8e969c7a7ce76c318ec9db380747ef3e618b7fc7c946e06c02660dfbc0f87c2c70ba9457d70bd64abe53cf5614b2e2c9d464304f438c27 |
memory/744-2-0x0000000000000000-mapping.dmp
memory/1100-3-0x00000000061E0000-0x00000000062E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xx
| MD5 | fe40904aaae247297d25d511e26311b3 |
| SHA1 | 126559ee3ec7e56ca282d671f10da4a54b19399d |
| SHA256 | fc525ba956e261d31d8e0e7f9906c1906aaaab5e47d2e8155358902bd4428ba8 |
| SHA512 | 05815d715e50b1706ff020286a8f51ab0ea31306f3448ea8872034400d1a272348b052cdf2ce08e562830e7e9a94374f3e7472cee177f297e3d0cbc7a243656b |
memory/1484-6-0x0000000000000000-mapping.dmp
memory/744-7-0x0000000002590000-0x0000000002594000-memory.dmp
memory/1788-8-0x0000000000000000-mapping.dmp
memory/1808-9-0x0000000000000000-mapping.dmp
C:\programdata\asc.txt:script1.vbs
| MD5 | db247f41725eccc95440e0de0cb454b0 |
| SHA1 | c18af0fcdf083be64fa139e1120b1526ba45d7b6 |
| SHA256 | f65cf77551c4c20c63985a74e7886651ec063996b0fc8e1a486801e27a9bdb88 |
| SHA512 | f5c4569e6d729885c55cd129461795dc96fa5efdb1e85a99282b149003c785272e148f6a728f66398f3364c9354af1393df7c5e0f2582112dfd4e7d7045c6f5a |
C:\programdata\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
memory/1536-12-0x0000000000000000-mapping.dmp
memory/1808-13-0x00000000023D0000-0x00000000023D4000-memory.dmp
C:\ProgramData\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
C:\programdata\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
\ProgramData\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
memory/1952-17-0x0000000000000000-mapping.dmp
C:\ProgramData\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
memory/1788-19-0x0000000002740000-0x0000000002744000-memory.dmp
C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
\ProgramData\42a9a9fda9eb1654f552\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
\ProgramData\42a9a9fda9eb1654f552\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
memory/1636-23-0x0000000000000000-mapping.dmp
C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
memory/1044-26-0x0000000000000000-mapping.dmp
memory/1508-27-0x0000000000000000-mapping.dmp
memory/1508-28-0x0000000002170000-0x0000000002181000-memory.dmp
memory/1044-29-0x0000000000000000-mapping.dmp
memory/1044-30-0x0000000000000000-mapping.dmp
memory/836-31-0x0000000000000000-mapping.dmp
memory/1508-32-0x0000000002640000-0x0000000002651000-memory.dmp
\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
| MD5 | 3b213812199ade3a2f51250355bcbb02 |
| SHA1 | 62bf14e1b9cfbc34e5101b780c3b55359c83152c |
| SHA256 | a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852 |
| SHA512 | c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de |
\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
| MD5 | 3b213812199ade3a2f51250355bcbb02 |
| SHA1 | 62bf14e1b9cfbc34e5101b780c3b55359c83152c |
| SHA256 | a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852 |
| SHA512 | c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de |
memory/1760-35-0x0000000000000000-mapping.dmp
C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
| MD5 | 3b213812199ade3a2f51250355bcbb02 |
| SHA1 | 62bf14e1b9cfbc34e5101b780c3b55359c83152c |
| SHA256 | a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852 |
| SHA512 | c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de |
memory/1172-37-0x0000000000000000-mapping.dmp
memory/1172-38-0x0000000006C50000-0x0000000006C73000-memory.dmp
memory/1172-39-0x0000000004E60000-0x0000000004E63000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-06-30 02:04
Reported
2020-06-30 02:06
Platform
win10v200430
Max time kernel
147s
Max time network
133s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\e0fb894d1ddbd54172ba\\gennt.exe\"" | C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\cscript.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\honey.exe | N/A |
| N/A | N/A | C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\mm:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\xx:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| File created | C:\programdata\asc.txt:script1.vbs | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm"
C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
C:\programdata\honey.exe
C:\programdata\honey.exe
C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe
C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe "C:\programdata\honey.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | medoslon.top | udp |
| N/A | 104.24.98.91:80 | medoslon.top | tcp |
Files
memory/3768-0-0x000002BD4BFC9000-0x000002BD4BFCE000-memory.dmp
memory/3768-1-0x000002BD44FE5000-0x000002BD44FEB000-memory.dmp
memory/3768-2-0x000002BD4C324000-0x000002BD4C326000-memory.dmp
memory/3768-3-0x000002BD44FE5000-0x000002BD44FEB000-memory.dmp
memory/3768-4-0x000002BD4C324000-0x000002BD4C326000-memory.dmp
memory/3768-5-0x000002BD4C326000-0x000002BD4C32B000-memory.dmp
memory/3980-6-0x0000000000000000-mapping.dmp
C:\programdata\asc.txt:script1.vbs
| MD5 | db247f41725eccc95440e0de0cb454b0 |
| SHA1 | c18af0fcdf083be64fa139e1120b1526ba45d7b6 |
| SHA256 | f65cf77551c4c20c63985a74e7886651ec063996b0fc8e1a486801e27a9bdb88 |
| SHA512 | f5c4569e6d729885c55cd129461795dc96fa5efdb1e85a99282b149003c785272e148f6a728f66398f3364c9354af1393df7c5e0f2582112dfd4e7d7045c6f5a |
memory/3704-8-0x0000000000000000-mapping.dmp
C:\ProgramData\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
C:\programdata\honey.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
memory/3740-11-0x0000000000000000-mapping.dmp
C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |
C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe
| MD5 | f500854e3cf9556688203a3d869b7d6d |
| SHA1 | 281aab2eb26f31cf2255e2f5a467fc5eebda8df8 |
| SHA256 | 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975 |
| SHA512 | bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4 |