systembc | fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

Analysis

max time kernel
138s
max time network
155s
platform
windows7_x64
resource
win7-en-20211208
submitted
02-02-2022 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882.xll
Size

646KB
MD5

a04d8167d9f4313b9f1e6ba38900306c
SHA1

3f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256

fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512

e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Score

10^/10

systembc vidar 1131 discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

Botnet

1131

https://mastodon.social/@prophef6

https://noc.social/@prophef5

Attributes

profile_id
1131

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/1816-82-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1816-83-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1816-85-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1816-86-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1364	sse.exe
1716	CP8Z9ZN3KMVU03RJ.exe
1624	CP8Z9ZN3KMVU03RJ.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CP8Z9ZN3KMVU03RJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CP8Z9ZN3KMVU03RJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CP8Z9ZN3KMVU03RJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CP8Z9ZN3KMVU03RJ.exe

Loads dropped DLL 9 IoCs

pid	Process
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE
1816	RegAsm.exe
1816	RegAsm.exe
1816	RegAsm.exe
1816	RegAsm.exe
1816	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CP8Z9ZN3KMVU03RJ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CP8Z9ZN3KMVU03RJ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Environment	CP8Z9ZN3KMVU03RJ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Debug	CP8Z9ZN3KMVU03RJ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1716	CP8Z9ZN3KMVU03RJ.exe
1716	CP8Z9ZN3KMVU03RJ.exe
1624	CP8Z9ZN3KMVU03RJ.exe
1624	CP8Z9ZN3KMVU03RJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 1816	1364	sse.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\wow64.job	CP8Z9ZN3KMVU03RJ.exe
File opened for modification	C:\Windows\Tasks\wow64.job	CP8Z9ZN3KMVU03RJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1524	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
948	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe:Zone.Identifier	RegAsm.exe
File opened for modification	C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe:Zone.Identifier	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1112	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1816	RegAsm.exe
1816	RegAsm.exe
1816	RegAsm.exe
1816	RegAsm.exe
1716	CP8Z9ZN3KMVU03RJ.exe
1716	CP8Z9ZN3KMVU03RJ.exe
1624	CP8Z9ZN3KMVU03RJ.exe
1624	CP8Z9ZN3KMVU03RJ.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	EXCEL.EXE
Token: SeDebugPrivilege	1364	sse.exe
Token: SeDebugPrivilege	948	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1112	EXCEL.EXE
1112	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1364	1112	EXCEL.EXE	27
PID 1112 wrote to memory of 1364	1112	EXCEL.EXE	27
PID 1112 wrote to memory of 1364	1112	EXCEL.EXE	27
PID 1112 wrote to memory of 1364	1112	EXCEL.EXE	27
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1364 wrote to memory of 1816	1364	sse.exe	31
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1716	1816	RegAsm.exe	34
PID 1816 wrote to memory of 1228	1816	RegAsm.exe	35
PID 1816 wrote to memory of 1228	1816	RegAsm.exe	35
PID 1816 wrote to memory of 1228	1816	RegAsm.exe	35
PID 1816 wrote to memory of 1228	1816	RegAsm.exe	35
PID 1228 wrote to memory of 948	1228	cmd.exe	37
PID 1228 wrote to memory of 948	1228	cmd.exe	37
PID 1228 wrote to memory of 948	1228	cmd.exe	37
PID 1228 wrote to memory of 948	1228	cmd.exe	37
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 992 wrote to memory of 1624	992	taskeng.exe	40
PID 1228 wrote to memory of 1524	1228	cmd.exe	41
PID 1228 wrote to memory of 1524	1228	cmd.exe	41
PID 1228 wrote to memory of 1524	1228	cmd.exe	41
PID 1228 wrote to memory of 1524	1228	cmd.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882.xll
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\sse.exe
  C:\Users\Admin\AppData\Local\Temp\sse.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe
      "C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im RegAsm.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RegAsm.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1524

C:\Windows\system32\taskeng.exe
taskeng.exe {430E403B-6263-4D1E-8AB3-B2DE7D6AD249} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe
  C:\ProgramData\CP8Z9ZN3KMVU03RJ.exe start
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-61-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/1112-68-0x000000000753B000-0x000000000754C000-memory.dmp

Filesize
68KB

Download
memory/1112-62-0x0000000007531000-0x0000000007532000-memory.dmp

Filesize
4KB

Download
memory/1112-63-0x0000000004390000-0x00000000043AC000-memory.dmp

Filesize
112KB

Download
memory/1112-55-0x0000000071AE1000-0x0000000071AE3000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1112-57-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/1112-60-0x000000006D281000-0x000000006D283000-memory.dmp

Filesize
8KB

Download
memory/1112-64-0x0000000007533000-0x0000000007534000-memory.dmp

Filesize
4KB

Download
memory/1112-65-0x0000000007534000-0x0000000007535000-memory.dmp

Filesize
4KB

Download
memory/1112-66-0x0000000007535000-0x0000000007537000-memory.dmp

Filesize
8KB

Download
memory/1112-54-0x000000002FE71000-0x000000002FE74000-memory.dmp

Filesize
12KB

Download
memory/1112-69-0x00000000046E0000-0x00000000046EE000-memory.dmp

Filesize
56KB

Download
memory/1112-67-0x0000000004730000-0x000000000476C000-memory.dmp

Filesize
240KB

Download
memory/1364-76-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1364-78-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/1364-77-0x0000000004815000-0x0000000004826000-memory.dmp

Filesize
68KB

Download
memory/1364-74-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1624-114-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1624-119-0x0000000076280000-0x00000000762C7000-memory.dmp

Filesize
284KB

Download
memory/1624-123-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1624-121-0x0000000075630000-0x000000007578C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-117-0x00000000761D0000-0x000000007627C000-memory.dmp

Filesize
688KB

Download
memory/1624-116-0x00000000772A0000-0x00000000772D5000-memory.dmp

Filesize
212KB

Download
memory/1624-115-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1624-112-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/1624-113-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1624-110-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1716-98-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1716-100-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1716-96-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/1716-99-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1716-104-0x0000000076280000-0x00000000762C7000-memory.dmp

Filesize
284KB

Download
memory/1716-95-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1716-102-0x00000000761D0000-0x000000007627C000-memory.dmp

Filesize
688KB

Download
memory/1716-101-0x00000000772A0000-0x00000000772D5000-memory.dmp

Filesize
212KB

Download
memory/1716-108-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1716-107-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1716-106-0x0000000075630000-0x000000007578C000-memory.dmp

Filesize
1.4MB

Download
memory/1816-86-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1816-85-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1816-83-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1816-82-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1816-81-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1816-80-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1816-79-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download