nanocore | bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931

Analysis

max time kernel
154s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
Size

4.6MB
MD5

5102df3fcc9d3f97bb55ce858adc53b1
SHA1

5f91282fe116c4f2ac48c05fd7220a35dfaa73d9
SHA256

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931
SHA512

f6536fafaf1852397ff1369a4d27a78c6465f71b3f689b06080f83bd1bbd4caf9286a2c7703c54243f01b3493dfb54c4722ab74aa27b956260621728b17f2ae8

Score

10^/10

nanocore netwire botnet collection evasion keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3748-151-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

msxcelss.exemsexcels.exemsxcelss.exemsxcelss.exe

pid process

5088 msxcelss.exe
1596 msexcels.exe
5052 msxcelss.exe
3748 msxcelss.exe

pid	process
5088	msxcelss.exe
1596	msexcels.exe
5052	msxcelss.exe
3748	msxcelss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

Drops startup file 2 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.url	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azroleui.url	msxcelss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msxcelss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	msxcelss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msxcelss.exe"	msxcelss.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msexcels.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

msexcels.exebdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exe

description	pid	process	target process
PID 1596 set thread context of 712	1596	msexcels.exe	RegAsm.exe
PID 4952 set thread context of 1592	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 5088 set thread context of 3748	5088	msxcelss.exe	msxcelss.exe
PID 4952 set thread context of 3844	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

pid	process
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1592 RegAsm.exe
3844 RegAsm.exe

pid	process
1592	RegAsm.exe
3844	RegAsm.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsexcels.exemsxcelss.exe

pid	process
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
1596	msexcels.exe
5088	msxcelss.exe
5088	msxcelss.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1592 RegAsm.exe
Token: SeDebugPrivilege 712 RegAsm.exe
Token: SeDebugPrivilege 3844 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1592	RegAsm.exe
Token: SeDebugPrivilege	712	RegAsm.exe
Token: SeDebugPrivilege	3844	RegAsm.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exemsexcels.exe

pid	process
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
5088	msxcelss.exe
5088	msxcelss.exe
5088	msxcelss.exe
1596	msexcels.exe
1596	msexcels.exe
1596	msexcels.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsxcelss.exemsexcels.exe

pid	process
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
5088	msxcelss.exe
5088	msxcelss.exe
5088	msxcelss.exe
1596	msexcels.exe
1596	msexcels.exe
1596	msexcels.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exemsexcels.exemsxcelss.exe

description	pid	process	target process
PID 4952 wrote to memory of 5088	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 4952 wrote to memory of 5088	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 4952 wrote to memory of 5088	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msxcelss.exe
PID 4952 wrote to memory of 1596	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 4952 wrote to memory of 1596	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 4952 wrote to memory of 1596	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	msexcels.exe
PID 4952 wrote to memory of 4328	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 4328	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 4328	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 1592	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 1592	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 1592	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 1592	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 1596 wrote to memory of 712	1596	msexcels.exe	RegAsm.exe
PID 1596 wrote to memory of 712	1596	msexcels.exe	RegAsm.exe
PID 1596 wrote to memory of 712	1596	msexcels.exe	RegAsm.exe
PID 1596 wrote to memory of 712	1596	msexcels.exe	RegAsm.exe
PID 5088 wrote to memory of 5052	5088	msxcelss.exe	msxcelss.exe
PID 5088 wrote to memory of 5052	5088	msxcelss.exe	msxcelss.exe
PID 5088 wrote to memory of 5052	5088	msxcelss.exe	msxcelss.exe
PID 5088 wrote to memory of 3748	5088	msxcelss.exe	msxcelss.exe
PID 5088 wrote to memory of 3748	5088	msxcelss.exe	msxcelss.exe
PID 5088 wrote to memory of 3748	5088	msxcelss.exe	msxcelss.exe
PID 5088 wrote to memory of 3748	5088	msxcelss.exe	msxcelss.exe
PID 4952 wrote to memory of 3844	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 3844	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 3844	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe
PID 4952 wrote to memory of 3844	4952	bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe
"C:\Users\Admin\AppData\Local\Temp\bdf354d3fc416d0d8bac9c25b02ef4e112ffb794b9c3ca69331925503e6c9931.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\msxcelss.exe
"C:\Users\Admin\AppData\Local\Temp\msxcelss.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\msxcelss.exe
"C:\Users\Admin\AppData\Local\Temp\msxcelss.exe"
3⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\AppData\Local\Temp\msxcelss.exe
"C:\Users\Admin\AppData\Local\Temp\msxcelss.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3748

C:\Users\Admin\AppData\Local\Temp\msexcels.exe
"C:\Users\Admin\AppData\Local\Temp\msexcels.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\msexcels.exe

Filesize
1.6MB

MD5
ce7bdfd133653fbd3dfe93410a311033

SHA1
ba3e756fadb8b17893820494b2e3b0233f9e7c41

SHA256
4afad17a2da5905290426d287a6b0029a4addfe0ef0054fd1c229dbfe4d6bc55

SHA512
7393ef0f92e4b21e0f5317996bf0519a1ff0c81d489c15af5ce34428999983c156bfe4da7004588aae896d7b6f1d757b2e9f9efd0a20f68b7d2ec4c2dfd01b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxcelss.exe

Filesize
1.4MB

MD5
9d122b71bb82aea292e6366290b2bbb2

SHA1
57fe5bbfae583bff6ca5fb4c984d068149854e8a

SHA256
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085

SHA512
967bb7c84876d05c5b17c39d7832fb82aaa56d4cdf186aec95d4445c6a49e6eb52c07c88c310d428ebfc991e2545cc5be95be233200810597fe9513d5b9421e4

Download Submit
C:\Users\Admin\AppData\Roaming\146ECCBB-68C5-4730-B193-CA9B081460A7\run.dat

Filesize
8B

MD5
7e82136468f86e6e96a7df3611b88296

SHA1
b1ee639cd6439b4928ab7915576297878de8f710

SHA256
a457a8de74ec7c317f67947ccf577dbf357d34784605cc9448c8659fede93399

SHA512
25c1dc44ba684321d58e04182c3ed2585c8ee6b0830d0e11d9476dc81933402ba53eeb66d30b56b4498c438343c70a6fd541cd948705f55257a6f28588023a93

Download Submit
memory/712-142-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/712-149-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/712-140-0x0000000000000000-mapping.dmp

Download
memory/1592-139-0x0000000000000000-mapping.dmp

Download
memory/1592-152-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/1592-143-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/1592-150-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/1596-141-0x0000000000FC0000-0x0000000001007000-memory.dmp

Filesize
284KB

Download
memory/1596-137-0x0000000000CC0000-0x0000000000D07000-memory.dmp

Filesize
284KB

Download
memory/1596-133-0x0000000000000000-mapping.dmp

Download
memory/3748-146-0x0000000000000000-mapping.dmp

Download
memory/3748-151-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3844-154-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/3844-153-0x0000000000000000-mapping.dmp

Download
memory/3844-156-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/4952-136-0x0000000003E80000-0x0000000003EB3000-memory.dmp

Filesize
204KB

Download
memory/4952-138-0x00000000041A0000-0x00000000041D3000-memory.dmp

Filesize
204KB

Download
memory/5088-148-0x0000000003210000-0x0000000003230000-memory.dmp

Filesize
128KB

Download
memory/5088-144-0x0000000000CE0000-0x0000000000D00000-memory.dmp

Filesize
128KB

Download
memory/5088-130-0x0000000000000000-mapping.dmp

Download