b17553745e016653cace2242fbf6be5d91642e9ec2424d43f97d47576b2fc046

General

Target

QO-77190441.xlsm
Size

64KB
MD5

93897aa2998c1991834aa52bf86c0ad5
SHA1

b91d37f744db2606709ec999f8eeb97c7b4c0514
SHA256

b17553745e016653cace2242fbf6be5d91642e9ec2424d43f97d47576b2fc046
SHA512

b6d3f60776846c1a74be4ae9c1b9615de03ef5d52e3590477e0a4a292f4eecea3c4f2ff8a834e5019a1472a9fd00241209018a9d5214dc9b1cea7a186cdae061

Score

8^/10

evasion spyware trojan

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1492	EXCEL.EXE
1104	iexplore.exe
1104	iexplore.exe
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
688	iexplore.exe
688	iexplore.exe
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
3968	iexplore.exe
3968	iexplore.exe
3612	IEXPLORE.EXE
3612	IEXPLORE.EXE
2196	iexplore.exe
2196	iexplore.exe
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
3024	iexplore.exe
3024	iexplore.exe
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
2124	iexplore.exe
2124	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1492 EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EXCEL.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1492 wrote to memory of 3388	1492	EXCEL.EXE	ywqJGcy.exe
PID 1492 wrote to memory of 3388	1492	EXCEL.EXE	ywqJGcy.exe
PID 1492 wrote to memory of 3388	1492	EXCEL.EXE	ywqJGcy.exe
PID 1104 wrote to memory of 1508	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 1508	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 1508	1104	iexplore.exe	IEXPLORE.EXE
PID 688 wrote to memory of 2348	688	iexplore.exe	IEXPLORE.EXE
PID 688 wrote to memory of 2348	688	iexplore.exe	IEXPLORE.EXE
PID 688 wrote to memory of 2348	688	iexplore.exe	IEXPLORE.EXE
PID 3968 wrote to memory of 3612	3968	iexplore.exe	IEXPLORE.EXE
PID 3968 wrote to memory of 3612	3968	iexplore.exe	IEXPLORE.EXE
PID 3968 wrote to memory of 3612	3968	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 1568	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 1568	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 1568	2196	iexplore.exe	IEXPLORE.EXE
PID 3024 wrote to memory of 1204	3024	iexplore.exe	IEXPLORE.EXE
PID 3024 wrote to memory of 1204	3024	iexplore.exe	IEXPLORE.EXE
PID 3024 wrote to memory of 1204	3024	iexplore.exe	IEXPLORE.EXE
PID 2124 wrote to memory of 1948	2124	iexplore.exe	IEXPLORE.EXE
PID 2124 wrote to memory of 1948	2124	iexplore.exe	IEXPLORE.EXE
PID 2124 wrote to memory of 1948	2124	iexplore.exe	IEXPLORE.EXE

Executes dropped EXE 1 IoCs

Processes:

ywqJGcy.exe

pid process

3388 ywqJGcy.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

1104 iexplore.exe
688 iexplore.exe
3968 iexplore.exe
2196 iexplore.exe
3024 iexplore.exe
2124 iexplore.exe

pid	process
3388	ywqJGcy.exe

pid	process
1104	iexplore.exe
688	iexplore.exe
3968	iexplore.exe
2196	iexplore.exe
3024	iexplore.exe
2124	iexplore.exe

Modifies system certificate store 2 TTPs 1 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Checks whether UAC is enabled 12 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 101 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c020000000000200000000001066000000010000200000000e200e4d537f10b3ad7a2e2dc0829e0ff7737f479ef75a5ca2182778fa1406a3000000000e8000000002000020000000c62f2ee46d84daa7bf559c8da23c75a6b0ec944962470ec431f4183f3c6da539200000008bb1fbc050fd93547d77cdc7a5eca6682b084aa193e76dd661c9ffd9499679d440000000b454baa8689acaf46072fb9ade2abf710afebc6ef8dd2433795fb54e32c30abfeae6e554e9447b09542f56b3fe80ddf312ae38b65fc1f4b41f13eedb4ea261da	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1072102343"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f1de50f858d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC5B4B72-C4EB-11EA-BF1A-6644251C6E4C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000711156a36e45ac0b3a46ec90021e2e3da6e00dc38546d102a5a2b2e31c313c42000000000e800000000200002000000002b62b474f4ef6af75a46460cfa1c5b649058a33d0bc04b3281127b07d0de91420000000b32a1a8dda9bd59a9ce57ed563c64b96b21bdce105460335f3dcc3c3644bd94d40000000bb22204aab8a507a996548bf89e2047c587638c4ef5d2f81705cfc2d4693c24b2dd0627b46e2fcaa63b81063f464b6c63575b9eaa3ef163788c7e662289ccb11	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94CB4EA9-C4EB-11EA-BF1A-6644251C6E4C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1072102343"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08b9844f858d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000bfb818d3e1bfc39e30583f1b0d8127b6c66b7132df49c2421b4bbee02956636f000000000e80000000020000200000005134e9584447d02817d181ecfca3a7cdb52519e5ec8dc8e0f2bb6571f5ad8c55200000000dda0f5e9a4920c3806c05e1c006cf8877203cdd51e788823e850c1c2ce4ba3440000000d70f8402f457b91ca571e98d9bf8eaa405eb2a757fcb41a4de79f973de0a093256f7bbc6e7cc1cfbac532e755000ab1f653eff304566dd096de4b9f06f4c11dc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ac3568f858d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824696"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501fce48f858d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CC1C007-C4EB-11EA-BF1A-6644251C6E4C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000e99877c4587a54d8817cf24b9fecfaa17abb7a0fa1b3b9e580c8c59f9783fcc9000000000e80000000020000200000007022ca9e0fa26af9461d5f62c1ae5b6f4937e5b67d44014c44fde800a49e167420000000c41a08bd7d5db344be5b5f9610434875f0ee3328472940b52c138b32d1cf79414000000030f9f49fc1364355e23e9c7ccfd759373ebccfe1dfc7ddbc6b072034bc3f1287f286ef3c623d5339b4cffbeb97f9c3c1e635ced889d51ca5a12d66b08a556ed9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60501359f858d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4115E2A-C4EB-11EA-BF1A-6644251C6E4C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000b8ff03eafbedb934b817830d1bd287093dc1e9f8754be73b5939fa9316a35c82000000000e8000000002000020000000c8fcde5762fb4b12e459d185988e363b1b8ce492f63e15eebc8dffb09972cb092000000091b3a8aeb68bb4ec29269ad02efc60326f07f1b583952db87892390d0e711033400000006bc0a831b288f273f97d03fd0b4b1b3db3e2494efb2d6a8d2d0ee98d839663a43a0b2ebb2a57d22028acae4c2c5c11524c2c0375d3a34716dae51d3d7d903148	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\QO-77190441.xlsm"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Checks processor information in registry
- Enumerates system info in registry
PID:1492

C:\Users\Admin\Documents\ywqJGcy.exe
"C:\Users\Admin\Documents\ywqJGcy.exe"
2⤵
- Executes dropped EXE
PID:3388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:688

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:688 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:2348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:2196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3024

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:1204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:2124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\Documents\ywqJGcy.exe

Download Submit
C:\Users\Admin\Documents\ywqJGcy.exe

Download Submit
memory/1204-10-0x0000000000000000-mapping.dmp

Download
memory/1508-4-0x0000000000000000-mapping.dmp

Download
memory/1568-9-0x0000000000000000-mapping.dmp

Download
memory/1948-11-0x0000000000000000-mapping.dmp

Download
memory/2348-5-0x0000000000000000-mapping.dmp

Download
memory/3388-0-0x0000000000000000-mapping.dmp

Download
memory/3388-3-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/3612-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads