Malware Analysis Report

2024-11-13 16:48

Sample ID 200630-rdvmpwkhrx
Target StolenImagesEvidence.xlsm
SHA256 d3e6f290c2bb3453ca9c6eca018c3256d5a4e0e8bf3ab26316d904f3dfa82c23
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3e6f290c2bb3453ca9c6eca018c3256d5a4e0e8bf3ab26316d904f3dfa82c23

Threat Level: Known bad

The file StolenImagesEvidence.xlsm was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Process spawned unexpected child process

Modifies WinLogon for persistence

Buer

Executes dropped EXE

Blocklisted process makes network request

Loads dropped DLL

Enumerates connected drives

Program crash

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

NTFS ADS

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Launches Equation Editor

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-06-30 02:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-06-30 02:04

Reported

2020-06-30 02:06

Platform

win7

Max time kernel

149s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\42a9a9fda9eb1654f552\\gennt.exe\"" C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\cscript.exe C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\System32\cscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\programdata\honey.exe N/A
N/A N/A C:\ProgramData\honey.exe N/A
N/A N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
N/A N/A C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\secinit.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{536913E1-BA76-11EA-BBCA-D6F86DC1AE1E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\programdata\asc.txt:script1.vbs C:\Program Files\Microsoft Office\Office14\EXCEL.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 836 N/A C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 836 N/A C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 836 N/A C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 836 N/A C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 836 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 836 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 836 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1484 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1484 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1484 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1100 wrote to memory of 1808 N/A C:\Program Files\Microsoft Office\Office14\EXCEL.EXE C:\Windows\System32\cscript.exe
PID 1100 wrote to memory of 1808 N/A C:\Program Files\Microsoft Office\Office14\EXCEL.EXE C:\Windows\System32\cscript.exe
PID 1100 wrote to memory of 1808 N/A C:\Program Files\Microsoft Office\Office14\EXCEL.EXE C:\Windows\System32\cscript.exe
PID 1808 wrote to memory of 1536 N/A C:\Windows\System32\cscript.exe C:\programdata\honey.exe
PID 1808 wrote to memory of 1536 N/A C:\Windows\System32\cscript.exe C:\programdata\honey.exe
PID 1808 wrote to memory of 1536 N/A C:\Windows\System32\cscript.exe C:\programdata\honey.exe
PID 1808 wrote to memory of 1536 N/A C:\Windows\System32\cscript.exe C:\programdata\honey.exe
PID 1788 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cscript.exe C:\ProgramData\honey.exe
PID 1788 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cscript.exe C:\ProgramData\honey.exe
PID 1788 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cscript.exe C:\ProgramData\honey.exe
PID 1788 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cscript.exe C:\ProgramData\honey.exe
PID 1952 wrote to memory of 1636 N/A C:\ProgramData\honey.exe C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
PID 1952 wrote to memory of 1636 N/A C:\ProgramData\honey.exe C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
PID 1952 wrote to memory of 1636 N/A C:\ProgramData\honey.exe C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
PID 1952 wrote to memory of 1636 N/A C:\ProgramData\honey.exe C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1636 wrote to memory of 1044 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1044 wrote to memory of 1508 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1044 wrote to memory of 1508 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1044 wrote to memory of 1508 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1044 wrote to memory of 1508 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1636 wrote to memory of 836 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 836 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 836 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 836 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1760 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
PID 1636 wrote to memory of 1760 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
PID 1636 wrote to memory of 1760 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
PID 1636 wrote to memory of 1760 N/A C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
PID 1484 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1484 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1484 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1484 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd /c ren %tmp%\mm v&WSCRIPT %tmp%\v?..wsf  C

C:\Windows\SysWOW64\wscript.exe

WSCRIPT C:\Users\Admin\AppData\Local\Temp\v?..wsf  C

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs

C:\Windows\System32\cscript.exe

"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs

C:\programdata\honey.exe

C:\programdata\honey.exe

C:\ProgramData\honey.exe

"C:\ProgramData\honey.exe"

C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe

C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe "C:\ProgramData\honey.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 280

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\42a9a9fda9eb1654f552}"

C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe

C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 medoslon.top udp
N/A 172.67.203.95:80 medoslon.top tcp
N/A 172.67.203.95:80 medoslon.top tcp
N/A 8.8.8.8:53 mesoplano.com udp
N/A 84.38.180.246:443 mesoplano.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 84.38.180.246:443 mesoplano.com tcp
N/A 84.38.180.246:443 mesoplano.com tcp
N/A 84.38.180.246:443 mesoplano.com tcp
N/A 8.8.8.8:53 go.microsoft.com udp
N/A 8.8.8.8:53 df1.kamalak.at udp
N/A 8.209.73.71:80 df1.kamalak.at tcp
N/A 8.209.73.71:80 df1.kamalak.at tcp

Files

memory/836-0-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mm

MD5 173309b93b0a0f138d015f465f4d8a1b
SHA1 7df3563be2296fea9bf66350a09d79168e73247b
SHA256 ac5a437cfe1ea4156a9d8cfe4a36417dec046338a91532dfb837890d31340a08
SHA512 e128dc628f5647c34a8e969c7a7ce76c318ec9db380747ef3e618b7fc7c946e06c02660dfbc0f87c2c70ba9457d70bd64abe53cf5614b2e2c9d464304f438c27

memory/744-2-0x0000000000000000-mapping.dmp

memory/1100-3-0x00000000061E0000-0x00000000062E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xx

MD5 fe40904aaae247297d25d511e26311b3
SHA1 126559ee3ec7e56ca282d671f10da4a54b19399d
SHA256 fc525ba956e261d31d8e0e7f9906c1906aaaab5e47d2e8155358902bd4428ba8
SHA512 05815d715e50b1706ff020286a8f51ab0ea31306f3448ea8872034400d1a272348b052cdf2ce08e562830e7e9a94374f3e7472cee177f297e3d0cbc7a243656b

memory/1484-6-0x0000000000000000-mapping.dmp

memory/744-7-0x0000000002590000-0x0000000002594000-memory.dmp

memory/1788-8-0x0000000000000000-mapping.dmp

memory/1808-9-0x0000000000000000-mapping.dmp

C:\programdata\asc.txt:script1.vbs

MD5 db247f41725eccc95440e0de0cb454b0
SHA1 c18af0fcdf083be64fa139e1120b1526ba45d7b6
SHA256 f65cf77551c4c20c63985a74e7886651ec063996b0fc8e1a486801e27a9bdb88
SHA512 f5c4569e6d729885c55cd129461795dc96fa5efdb1e85a99282b149003c785272e148f6a728f66398f3364c9354af1393df7c5e0f2582112dfd4e7d7045c6f5a

C:\programdata\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

memory/1536-12-0x0000000000000000-mapping.dmp

memory/1808-13-0x00000000023D0000-0x00000000023D4000-memory.dmp

C:\ProgramData\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

C:\programdata\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

\ProgramData\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

memory/1952-17-0x0000000000000000-mapping.dmp

C:\ProgramData\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

memory/1788-19-0x0000000002740000-0x0000000002744000-memory.dmp

C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

\ProgramData\42a9a9fda9eb1654f552\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

\ProgramData\42a9a9fda9eb1654f552\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

memory/1636-23-0x0000000000000000-mapping.dmp

C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

memory/1044-26-0x0000000000000000-mapping.dmp

memory/1508-27-0x0000000000000000-mapping.dmp

memory/1508-28-0x0000000002170000-0x0000000002181000-memory.dmp

memory/1044-29-0x0000000000000000-mapping.dmp

memory/1044-30-0x0000000000000000-mapping.dmp

memory/836-31-0x0000000000000000-mapping.dmp

memory/1508-32-0x0000000002640000-0x0000000002651000-memory.dmp

\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe

MD5 3b213812199ade3a2f51250355bcbb02
SHA1 62bf14e1b9cfbc34e5101b780c3b55359c83152c
SHA256 a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852
SHA512 c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de

\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe

MD5 3b213812199ade3a2f51250355bcbb02
SHA1 62bf14e1b9cfbc34e5101b780c3b55359c83152c
SHA256 a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852
SHA512 c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de

memory/1760-35-0x0000000000000000-mapping.dmp

C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe

MD5 3b213812199ade3a2f51250355bcbb02
SHA1 62bf14e1b9cfbc34e5101b780c3b55359c83152c
SHA256 a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852
SHA512 c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de

memory/1172-37-0x0000000000000000-mapping.dmp

memory/1172-38-0x0000000006C50000-0x0000000006C73000-memory.dmp

memory/1172-39-0x0000000004E60000-0x0000000004E63000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-06-30 02:04

Reported

2020-06-30 02:06

Platform

win10v200430

Max time kernel

147s

Max time network

133s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\e0fb894d1ddbd54172ba\\gennt.exe\"" C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\cscript.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\cscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\programdata\honey.exe N/A
N/A N/A C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\mm:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\xx:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File created C:\programdata\asc.txt:script1.vbs C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm"

C:\Windows\System32\cscript.exe

"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs

C:\programdata\honey.exe

C:\programdata\honey.exe

C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe

C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe "C:\programdata\honey.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 medoslon.top udp
N/A 104.24.98.91:80 medoslon.top tcp

Files

memory/3768-0-0x000002BD4BFC9000-0x000002BD4BFCE000-memory.dmp

memory/3768-1-0x000002BD44FE5000-0x000002BD44FEB000-memory.dmp

memory/3768-2-0x000002BD4C324000-0x000002BD4C326000-memory.dmp

memory/3768-3-0x000002BD44FE5000-0x000002BD44FEB000-memory.dmp

memory/3768-4-0x000002BD4C324000-0x000002BD4C326000-memory.dmp

memory/3768-5-0x000002BD4C326000-0x000002BD4C32B000-memory.dmp

memory/3980-6-0x0000000000000000-mapping.dmp

C:\programdata\asc.txt:script1.vbs

MD5 db247f41725eccc95440e0de0cb454b0
SHA1 c18af0fcdf083be64fa139e1120b1526ba45d7b6
SHA256 f65cf77551c4c20c63985a74e7886651ec063996b0fc8e1a486801e27a9bdb88
SHA512 f5c4569e6d729885c55cd129461795dc96fa5efdb1e85a99282b149003c785272e148f6a728f66398f3364c9354af1393df7c5e0f2582112dfd4e7d7045c6f5a

memory/3704-8-0x0000000000000000-mapping.dmp

C:\ProgramData\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

C:\programdata\honey.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

memory/3740-11-0x0000000000000000-mapping.dmp

C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

C:\ProgramData\e0fb894d1ddbd54172ba\gennt.exe

MD5 f500854e3cf9556688203a3d869b7d6d
SHA1 281aab2eb26f31cf2255e2f5a467fc5eebda8df8
SHA256 471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
SHA512 bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4