nanocore | bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931

Analysis

max time kernel
173s
max time network
180s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
Size

4.6MB
MD5

5102df3fcc9d3f97bb55ce858adc53b1
SHA1

5f91282fe116c4f2ac48c05fd7220a35dfaa73d9
SHA256

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931
SHA512

f6536fafaf1852397ff1369a4d27a78c6465f71b3f689b06080f83bd1bbd4caf9286a2c7703c54243f01b3493dfb54c4722ab74aa27b956260621728b17f2ae8

Score

10^/10

nanocore netwire botnet collection evasion keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1416-87-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

msxcelss.exemsexcels.exemsxcelss.exe

pid process

1608 msxcelss.exe
1696 msexcels.exe
1416 msxcelss.exe

pid	process
1608	msxcelss.exe
1696	msexcels.exe
1416	msxcelss.exe

Drops startup file 2 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.url	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azroleui.url	msxcelss.exe

Loads dropped DLL 9 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exe

pid	process
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1608	msxcelss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msxcelss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	msxcelss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msxcelss.exe"	msxcelss.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsexcels.exemsxcelss.exe

description	pid	process	target process
PID 1756 set thread context of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1696 set thread context of 544	1696	msexcels.exe	RegAsm.exe
PID 1608 set thread context of 1416	1608	msxcelss.exe	msxcelss.exe
PID 1756 set thread context of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

pid	process
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

112 RegAsm.exe

pid	process
112	RegAsm.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsexcels.exemsxcelss.exe

pid	process
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1696	msexcels.exe
1696	msexcels.exe
1608	msxcelss.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 112 RegAsm.exe
Token: SeDebugPrivilege 544 RegAsm.exe
Token: SeDebugPrivilege 1884 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	112	RegAsm.exe
Token: SeDebugPrivilege	544	RegAsm.exe
Token: SeDebugPrivilege	1884	RegAsm.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exemsexcels.exe

pid	process
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1608	msxcelss.exe
1608	msxcelss.exe
1608	msxcelss.exe
1696	msexcels.exe
1696	msexcels.exe
1696	msexcels.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exemsexcels.exe

pid	process
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1608	msxcelss.exe
1608	msxcelss.exe
1608	msxcelss.exe
1696	msexcels.exe
1696	msexcels.exe
1696	msexcels.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsexcels.exemsxcelss.exe

description	pid	process	target process
PID 1756 wrote to memory of 1608	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 1756 wrote to memory of 1608	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 1756 wrote to memory of 1608	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 1756 wrote to memory of 1608	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 1756 wrote to memory of 1696	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 1756 wrote to memory of 1696	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 1756 wrote to memory of 1696	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 1756 wrote to memory of 1696	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1900	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 112	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 428	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1696 wrote to memory of 544	1696	msexcels.exe	RegAsm.exe
PID 1608 wrote to memory of 1416	1608	msxcelss.exe	msxcelss.exe
PID 1608 wrote to memory of 1416	1608	msxcelss.exe	msxcelss.exe
PID 1608 wrote to memory of 1416	1608	msxcelss.exe	msxcelss.exe
PID 1608 wrote to memory of 1416	1608	msxcelss.exe	msxcelss.exe
PID 1608 wrote to memory of 1416	1608	msxcelss.exe	msxcelss.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1756 wrote to memory of 1884	1756	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
"C:\Users\Admin\AppData\Local\Temp\bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\msxcelss.exe
"C:\Users\Admin\AppData\Local\Temp\msxcelss.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\msxcelss.exe
"C:\Users\Admin\AppData\Local\Temp\msxcelss.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1416

C:\Users\Admin\AppData\Local\Temp\msexcels.exe
"C:\Users\Admin\AppData\Local\Temp\msexcels.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
3⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Roaming\327F7753-EED3-43EC-871A-C7BCF65868EC\run.dat

Filesize
8B

MD5
75093375fc692ea8ff5d62d94fabcf68

SHA1
151255158b6624f94b47e8c20b2315ca18d769f9

SHA256
71e378f4e094025fd3bbd2fc42a9353fc128162398750f344598f71edfb3b9bd

SHA512
8445a0933e3606b34b65ae61c7aa584a16d108ec7897ff633d29205235e57f53d766fd6b61431ca1a5257ac881daaf24b0981e9e124824f5d997e5068445c632

Download Submit
\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
memory/112-88-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/112-72-0x000000000041E792-mapping.dmp

Download
memory/112-90-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/112-79-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/544-74-0x0000000000447CAE-mapping.dmp

Download
memory/544-89-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/544-80-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1416-87-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1416-83-0x00000000004026D0-mapping.dmp

Download
memory/1608-86-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/1608-59-0x0000000000000000-mapping.dmp

Download
memory/1608-81-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1696-76-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/1696-77-0x0000000000F20000-0x0000000000F67000-memory.dmp

Filesize
284KB

Download
memory/1696-67-0x0000000000000000-mapping.dmp

Download
memory/1756-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1756-71-0x0000000000C20000-0x0000000000C53000-memory.dmp

Filesize
204KB

Download
memory/1756-78-0x0000000000CB0000-0x0000000000CE3000-memory.dmp

Filesize
204KB

Download
memory/1884-91-0x000000000041E792-mapping.dmp

Download
memory/1884-94-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-95-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download