5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a

General

Target

Doc_3744.xls
Size

62KB
MD5

47e22049644647ee854cedfe077156e7
SHA1

20ad9f47616a8272dece2ec1039a88c09412c97c
SHA256

5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a
SHA512

1eeb87173378f4d0e157ee42f5b28e48ff84a35b44d71f004a6180cc2bdbc09e45c071adc7ab0a94c75071fbe3ee13b939ee8cb216b6f2e06c9c24ca34dbbf1b

Score

7^/10

spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "about:blank"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "321213703"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4FEFC239-78B4-11EB-B59A-CAD1272A8716} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001e13458d7c7f094a981f0f05c1eab930000000000200000000001066000000010000200000001165927739868e8e9f4a8b5057e5de933b06b6a57b8cc7e61a90d819f71bb099000000000e800000000200002000000018df8c192a8a211e8a05f6241037fa118b6c4674de4e3be7750b7661350f843580000000c8d74504dfe3b73046b1f50c0a979d3e7e33a2786197699e5e9a6b6847f7b8c21914cbf55003a32f9d06ae66bc3c2aa16ca4744147c047d44638dadabcb39a2f65c802fd9649e79682c3f0f5166dadb57c7a82c0dc25dfcca312e977aa1877deab0477d8567764ca597adf293f0d290dced56721ebc94e14157fe269c1a11c2b40000000d60679e3f117cb71db6f539dd49112da35dbbb980492cdb2a84aafa85a72791b05e77cf0c2c70a99084f3ca0d0281f257c1b552aee087592ca3bc69faa7ec995	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000fffffffffffffffffffffffffffffffff8fffffff8ffffff08050000b0020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "about:blank"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url7 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "613894842"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30870721"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 70b2ce16c10cd701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "321165117"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "646959032"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03b123fc10cd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001e13458d7c7f094a981f0f05c1eab93000000000020000000000106600000001000020000000a717bfb4bbfda1b0fba9c7a3fba51a6c90ec768fc63f72b23bee8e3a79a44416000000000e80000000020000200000005cc5120714108328a77926740299d39f0c8b9f86fb2f1e848eb6d915f8d5d67c200000007ce23cc991ffa6104236c270d87032c1cb25cf39251e00ec1400ac78262319d540000000ab6e88bbbbc07d7c28b9c0bcbfba5c1d85b9bf27137f2f7ae68e8569253ce701d46be2676dba5634df8e3fe8c2ff8d63fc1839eb1c3a316a1a07c34131f6ff66	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30870721"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://qaz.im/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1031c32cc10cd701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001e13458d7c7f094a981f0f05c1eab93000000000020000000000106600000001000020000000d9e3072703cf47ce6007fe58a22f68782b7869adf0dd7434f64c2089ea53ea5a000000000e80000000020000200000009fde5361cc352d3dcc55c9eb98943240d85e218f2efd1cdd7f3853f1b93626162000000020bb3b3f0410552bbd899f1531e9caa3789debddda8e0ec51e203d0112e01b88400000009c6dfaf7e42690aa0adfb2411d4cba971f3972fc430612fcbe5f67eaa6d88eaf7f4eeaea4a9aa970d0cafa164ff0d87709af6efc9f557b2c5071a00ddd1bdb71	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001e13458d7c7f094a981f0f05c1eab9300000000002000000000010660000000100002000000077c746ebbeba407db43e006f767a7540b12b3ae7a54d2498a00761bc9869112a000000000e8000000002000020000000a67bab49f669adacc078e7f458326adf376481ca7aaed3669977cb6ee7e7b595200000007a3bccb7d10e3558a80657d0c24deb5964a6ea8b18a2d1b368d7cdb6a81a157f40000000734ebc60abf4160bd6c6a8b97ffac000a8f921dc2a6b63ea917b4efa2bbf14756d1dacf385ef68f1ca7877d17373a8e0b9be97138cc86a57dc82eece4f935c61	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 34 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4696 EXCEL.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4420 iexplore.exe

pid	process
4420	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXE

pid	process
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4420	iexplore.exe
4420	iexplore.exe
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
4420	iexplore.exe
4420	iexplore.exe
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4420 wrote to memory of 4588	4420	iexplore.exe	IEXPLORE.EXE
PID 4420 wrote to memory of 4588	4420	iexplore.exe	IEXPLORE.EXE
PID 4420 wrote to memory of 4588	4420	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_3744.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4420 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
645278e32992298d7366e4e0ac9a360d

SHA1
14aa557d892ebdf5337e91b9b9ea8ba4e1ea7e50

SHA256
69f5ccba9de478a6e724aa9f26765151fa78b096ede32f599945cb192f61c1b4

SHA512
9b5922ca42eccbe5808ee4952e8978e6ec8d819db4a63f9283f560fea54bd01ad51dfc146e1238a067f45b5bfd3603fe43e81b850f35833a836d015c7720e024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E706EC2EDE247F030D73F5CDF441F029

MD5
3f907f4f6daf01ee4aadb84f67210fc2

SHA1
12aa2a28de53dc2fc2f51bcbfa024d903d8aa369

SHA256
4c3b51b2b505c59d6d3ce7072663548cee68f1740351c80d19a887841056cf8e

SHA512
8ca32b9ec658ac93897ed2e19e246b3b7981e5b70454f5deb27cdff2185feec552a99653d0b32b2e303456866971459f2d429498f89e35856572ce7b0a286611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
9ccae07ea652bbc191b17d6f18fe2904

SHA1
4a4cf3b91da983837fba977cb17cc27cba579313

SHA256
db885b60999f45f206abcc46b8b88b935501d75327d6ef7ae7493390744f39c6

SHA512
e4f84e537d27c1f02585754072494a566aefff3a1fb42b1891028b2db8549b7bb4fb146bb0608e59e2e7f0e94c8c631ce647fb310b68b5364711203f5185a47c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E706EC2EDE247F030D73F5CDF441F029

MD5
9e78ec97966868e08bdba9a4d2b94da7

SHA1
5fdf1d1e816e30cd86a89840859309de875abc95

SHA256
95c981b9a91d0d9468d16c25ea0432b14cb878a4f1ecae4fe14d6b502699305e

SHA512
b09f7f70103ff4ba4b6aa050d5643ee6502407905aaa2f0610f319217f448fd57ffe3e68444148bd3a1daf81bed15e3c08c1a1c8de4062f7d4b89e687a79410c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OGDR532A.cookie

MD5
25a2a923cf793e04d3652f4441295e0f

SHA1
f3303b92484eb909f9a0123649cf2c3a3b5a0ef9

SHA256
42f6c33a97fad0b9b01465741eec1509c0bc1204683777b469984ab29fcd13a1

SHA512
12dee9d68bcceec2776f8645901ab5d5fef4502f27dc3c6bd63222957ff051c81044c8800e754ad4b7239a9e1e8ee532ee0a209814ea5f5b959b31f67c74fb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P0S3DN67.cookie

MD5
9b0f54aa485ddc7e4307ad6ccb126cca

SHA1
86b0f6b7e6dcbb656477f9dbbcd44de3084b6b5b

SHA256
c88c40d4bd9077a6a59ea7d7b7371a739dd13c4e11f75b9a95cb3b0cb9368af4

SHA512
0c453c4ddaa9960b7b68fb0f5b08325e92a93ea9d530de550d4ffebfdad1c7ce97409ef7a7e78074f6be9bacafc298cef9b1de02f4d8788d666552fdc8fed445

Download Submit
C:\dir10.txt

MD5
7a9d4d58cf6c2d77a5bb63282708b902

SHA1
d5122c8f73de2c8169da15ed439897178ea7dad2

SHA256
a8346473b5ab0514f1c38bcf40e5dfa8a82107bb27d5e8b0d6f3253ce3f23d03

SHA512
da0af53c1d5a0983d7ea2417bde1df9b8ee827ff651a71c79781fcf304953a762149bfe13aa3daacb6eba8d74e264409c7e762141a5d8cc78dd41b032646b0b5

Download Submit
memory/4588-7-0x0000000000000000-mapping.dmp

Download
memory/4696-6-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4696-5-0x00007FFCF0B70000-0x00007FFCF11A7000-memory.dmp

Filesize
6.2MB

Download
memory/4696-4-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4696-3-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4696-2-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads