f9068e24dc32b9314c21966284886537051e1ea8b7044772489a99c4906925af

Analysis

max time kernel
149s
max time network
104s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref671005018.xls
Size

232KB
MD5

169f284d5cb718718ef756d97e962d66
SHA1

f83c9e72f5d03e30e8d99b8ac3a7ea9e3ab98960
SHA256

f9068e24dc32b9314c21966284886537051e1ea8b7044772489a99c4906925af
SHA512

fd82a9a0044be3eb01b95dd5de63b0ac57072cf67fc2959ac1180f22f7ed5375ba9178e37b2fe3c2ddabe883aadb90e85d77c19406af1c5c41861d2d4bd34c26
SSDEEP

6144:yk3hOdsylKlgryzc4bNhZF+E+W2knA1ADM/NuNNFNNXNNuNNdNNPNNaNNbNNWNNb:GAcNuNNFNNXNNuNNdNNPNNaNNbNNWNNb

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

svchost.exegst.exeakfng.exeddkvmcjj.exe

pid process

1428 svchost.exe
1408 gst.exe
1576 akfng.exe
1580 ddkvmcjj.exe

pid	process
1428	svchost.exe
1408	gst.exe
1576	akfng.exe
1580	ddkvmcjj.exe

Drops startup file 2 IoCs

Processes:

akfng.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	akfng.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	akfng.exe

Loads dropped DLL 6 IoCs

Processes:

EXCEL.EXEsvchost.exeWScript.exeWScript.exe

pid process

2032 EXCEL.EXE
1428 svchost.exe
1428 svchost.exe
1428 svchost.exe
1692 WScript.exe
1628 WScript.exe

pid	process
2032	EXCEL.EXE
1428	svchost.exe
1428	svchost.exe
1428	svchost.exe
1692	WScript.exe
1628	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

akfng.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	akfng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9_105\\akfng.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\9_105\\whofhgk.sos"	akfng.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	akfng.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\9_105 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9_105\\start.vbs"	akfng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
2032 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
2032 EXCEL.EXE
2032 EXCEL.EXE
2032 EXCEL.EXE
2032 EXCEL.EXE

pid	process
2032	EXCEL.EXE

pid	process
2032	EXCEL.EXE
2032	EXCEL.EXE

pid	process
2032	EXCEL.EXE
2032	EXCEL.EXE
2032	EXCEL.EXE
2032	EXCEL.EXE
2032	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

EXCEL.EXEsvchost.exegst.exeWScript.exeWScript.exeakfng.exe

description	pid	process	target process
PID 2032 wrote to memory of 1428	2032	EXCEL.EXE	svchost.exe
PID 2032 wrote to memory of 1428	2032	EXCEL.EXE	svchost.exe
PID 2032 wrote to memory of 1428	2032	EXCEL.EXE	svchost.exe
PID 2032 wrote to memory of 1428	2032	EXCEL.EXE	svchost.exe
PID 1428 wrote to memory of 1408	1428	svchost.exe	gst.exe
PID 1428 wrote to memory of 1408	1428	svchost.exe	gst.exe
PID 1428 wrote to memory of 1408	1428	svchost.exe	gst.exe
PID 1428 wrote to memory of 1408	1428	svchost.exe	gst.exe
PID 1428 wrote to memory of 1692	1428	svchost.exe	WScript.exe
PID 1428 wrote to memory of 1692	1428	svchost.exe	WScript.exe
PID 1428 wrote to memory of 1692	1428	svchost.exe	WScript.exe
PID 1428 wrote to memory of 1692	1428	svchost.exe	WScript.exe
PID 1408 wrote to memory of 1628	1408	gst.exe	WScript.exe
PID 1408 wrote to memory of 1628	1408	gst.exe	WScript.exe
PID 1408 wrote to memory of 1628	1408	gst.exe	WScript.exe
PID 1408 wrote to memory of 1628	1408	gst.exe	WScript.exe
PID 1692 wrote to memory of 1580	1692	WScript.exe	ddkvmcjj.exe
PID 1692 wrote to memory of 1580	1692	WScript.exe	ddkvmcjj.exe
PID 1692 wrote to memory of 1580	1692	WScript.exe	ddkvmcjj.exe
PID 1692 wrote to memory of 1580	1692	WScript.exe	ddkvmcjj.exe
PID 1628 wrote to memory of 1576	1628	WScript.exe	akfng.exe
PID 1628 wrote to memory of 1576	1628	WScript.exe	akfng.exe
PID 1628 wrote to memory of 1576	1628	WScript.exe	akfng.exe
PID 1628 wrote to memory of 1576	1628	WScript.exe	akfng.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe
PID 1576 wrote to memory of 1720	1576	akfng.exe	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Ref671005018.xls
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\temp\6_910\gst.exe
"C:\Users\Admin\AppData\Local\temp\6_910\gst.exe" Saint-Ã‰tienne-du-Mont is a church located on the Montagne Sainte-GeneviÃ¨ve
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\9_105\pmsg.vbe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\9_105\akfng.exe
"C:\Users\Admin\AppData\Local\Temp\9_105\akfng.exe" whofhgk.sos
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_910\npssxoovaq.vbe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\6_910\ddkvmcjj.exe
"C:\Users\Admin\AppData\Local\Temp\6_910\ddkvmcjj.exe" cjnm.edm
4⤵
- Executes dropped EXE
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_910\ddkvmcjj.exe
Filesize
911KB

MD5
81221edd11b5995e95e971646d9653c0

SHA1
f1b09d14995f24270af8d67050b4e5a38de074f3

SHA256
c809f3429bcc2c666d4b6135c720c8df30ff1ede2f76e73308b82202bd904a6f

SHA512
6780988267df3368e3aec9d1a58c7a9700117b6439bf9545291417cc490ed069ef6068d682138fe870093dab6c8a389a1b5f1256e21c103eb4681b1ac236248a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_910\ddkvmcjj.exe
Filesize
911KB

MD5
81221edd11b5995e95e971646d9653c0

SHA1
f1b09d14995f24270af8d67050b4e5a38de074f3

SHA256
c809f3429bcc2c666d4b6135c720c8df30ff1ede2f76e73308b82202bd904a6f

SHA512
6780988267df3368e3aec9d1a58c7a9700117b6439bf9545291417cc490ed069ef6068d682138fe870093dab6c8a389a1b5f1256e21c103eb4681b1ac236248a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_910\gst.exe
Filesize
1.1MB

MD5
110281413953d3f0417e6444b0004644

SHA1
236630dbc2635dbcb704a78278892948ea224c5d

SHA256
046d38d00b4703467e142264a3b66bea51ed16ca07da98ccf410e90ddd6e95c2

SHA512
a8abd219c73f8742cff7ea7b3ac73bc7276c9040c2f6ba6d868029129fd95c04c5346534bd6a83f0dd32d7ee6b81b45c702958914557cffc87a355648de84f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_105\akfng.exe
Filesize
915KB

MD5
303c86d5e26a663bdb09481f93be2e90

SHA1
b269a394afcf82a26150a8e16daa933176c1d3b2

SHA256
1f13ccb643426fc2b63d2b8492ffd29eb86eb5de53ce3a7f598823fb5311263f

SHA512
7c239f299d29ecd4015e8b53da93188dc814d135597e49b81178ac3da7be1faed8cf2eef41d3eb8b6bbd8f06e6e09fd49b3e0346f1bd3a5c5acca1703b6de955

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_105\akfng.exe
Filesize
915KB

MD5
303c86d5e26a663bdb09481f93be2e90

SHA1
b269a394afcf82a26150a8e16daa933176c1d3b2

SHA256
1f13ccb643426fc2b63d2b8492ffd29eb86eb5de53ce3a7f598823fb5311263f

SHA512
7c239f299d29ecd4015e8b53da93188dc814d135597e49b81178ac3da7be1faed8cf2eef41d3eb8b6bbd8f06e6e09fd49b3e0346f1bd3a5c5acca1703b6de955

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_105\qcmqueptsl.ppt
Filesize
59KB

MD5
aa511ad88b62774609eccded56fe6921

SHA1
bc7995786dd2f464ca72e472588d0d2f8441cba5

SHA256
e1411732032805d54c5c51af508764272d144bb559ca7e45dff1e036049c741d

SHA512
7ec89454e2b09cb0d1dc2cfb8e97e9ca3c27ff552e206d5069ad117c961f607644e2512ff7eb76d78c3ee429c4a044f32c44931e710ba8f600ce36e2b516e960

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_105\whofhgk.sos
Filesize
79.3MB

MD5
111689a0b6b4f08522b7b577692c1001

SHA1
5e88d66c4e5d21676ed9f7117669efbda2e71778

SHA256
92a969067cee6fa37cbe337baaebf53a2a1912975f09be78ef90384eeda6deda

SHA512
f11d8d57295ddb7ae812abfb77cbea08227b1d4751e3d93a9e6c6af7e8d130a2621fc8b30a1bcd0a1a3c41220f89289c10591ab8a7a42b6e29657d377678fcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_105\xsmiqu.crn
Filesize
405KB

MD5
81db3971acf8ec7739e75f8861885f89

SHA1
2f2b8a2302c29e72a28697afa6b7728819469c8e

SHA256
4ce2fd6069f41e43443cc1666a24ebc9e02833b70ba407b6c343cd1c1a3acc3a

SHA512
b237c9d227d69a8d3f42428040e6e162f7868a932272ef48ac92616281bb2ec8f28bc071e248de6b9ce4d762f5f673eef2c362cafac4badc54fc8e08e1abef13

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
2.1MB

MD5
71bc3a380454c4bf0c29f7ce462f5a44

SHA1
13d0575bffee9c37a4bd83f9636b1f0cd028f975

SHA256
c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df

SHA512
03da38432163c1c5f4b063eae32933492b9f60e21f6016c0a1c5c27d46d447672002fe0b82fbb648f497c35549497c999a6f8f68dc2567d350f30bf1eb6db5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
2.1MB

MD5
71bc3a380454c4bf0c29f7ce462f5a44

SHA1
13d0575bffee9c37a4bd83f9636b1f0cd028f975

SHA256
c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df

SHA512
03da38432163c1c5f4b063eae32933492b9f60e21f6016c0a1c5c27d46d447672002fe0b82fbb648f497c35549497c999a6f8f68dc2567d350f30bf1eb6db5aa

Download Submit
C:\Users\Admin\AppData\Local\temp\6_910\gst.exe
Filesize
1.1MB

MD5
110281413953d3f0417e6444b0004644

SHA1
236630dbc2635dbcb704a78278892948ea224c5d

SHA256
046d38d00b4703467e142264a3b66bea51ed16ca07da98ccf410e90ddd6e95c2

SHA512
a8abd219c73f8742cff7ea7b3ac73bc7276c9040c2f6ba6d868029129fd95c04c5346534bd6a83f0dd32d7ee6b81b45c702958914557cffc87a355648de84f84

Download Submit
C:\Users\Admin\AppData\Local\temp\6_910\npssxoovaq.vbe
Filesize
28KB

MD5
e84f87dacfb7eb1b00eeec1aaac1d4cf

SHA1
b263f4462b1d3ecb6e0dfeae04ef6dadd96f608c

SHA256
c91dc9fae6dbf85acddcba2c0966de01d6a48e56a779488fec5731e6fda2e242

SHA512
a0449c4648f2e7356c9334fc0d7b6c201e7e646661e444d53961b6c9b847e7b53a772e06fb7be25f26019b70b78f51d67120fb2ee70ff7eee561526d2b3917c9

Download Submit
C:\Users\Admin\AppData\Local\temp\9_105\pmsg.vbe
Filesize
32KB

MD5
dbeb963635b0737ceca13c7f9bc566d7

SHA1
10b6334645131d81b311c71eca7a8f9ccde127d1

SHA256
01299ecd0169896c320e2690a782a45a7e8f2d94cbc221dbe153ceb694febbe6

SHA512
b48d909051ecbb73ab47c89fcfee3cbdb9a08c5a246e3e0ec4780e64e402e01d16ff2f2fa3025bc11f2efaaf28b47496aa83f1957db8d131e9ea8e7a20bef3d9

Download Submit
\Users\Admin\AppData\Local\Temp\6_910\ddkvmcjj.exe
Filesize
911KB

MD5
81221edd11b5995e95e971646d9653c0

SHA1
f1b09d14995f24270af8d67050b4e5a38de074f3

SHA256
c809f3429bcc2c666d4b6135c720c8df30ff1ede2f76e73308b82202bd904a6f

SHA512
6780988267df3368e3aec9d1a58c7a9700117b6439bf9545291417cc490ed069ef6068d682138fe870093dab6c8a389a1b5f1256e21c103eb4681b1ac236248a

Download Submit
\Users\Admin\AppData\Local\Temp\6_910\gst.exe
Filesize
1.1MB

MD5
110281413953d3f0417e6444b0004644

SHA1
236630dbc2635dbcb704a78278892948ea224c5d

SHA256
046d38d00b4703467e142264a3b66bea51ed16ca07da98ccf410e90ddd6e95c2

SHA512
a8abd219c73f8742cff7ea7b3ac73bc7276c9040c2f6ba6d868029129fd95c04c5346534bd6a83f0dd32d7ee6b81b45c702958914557cffc87a355648de84f84

Download Submit
\Users\Admin\AppData\Local\Temp\6_910\gst.exe
Filesize
1.1MB

MD5
110281413953d3f0417e6444b0004644

SHA1
236630dbc2635dbcb704a78278892948ea224c5d

SHA256
046d38d00b4703467e142264a3b66bea51ed16ca07da98ccf410e90ddd6e95c2

SHA512
a8abd219c73f8742cff7ea7b3ac73bc7276c9040c2f6ba6d868029129fd95c04c5346534bd6a83f0dd32d7ee6b81b45c702958914557cffc87a355648de84f84

Download Submit
\Users\Admin\AppData\Local\Temp\6_910\gst.exe
Filesize
1.1MB

MD5
110281413953d3f0417e6444b0004644

SHA1
236630dbc2635dbcb704a78278892948ea224c5d

SHA256
046d38d00b4703467e142264a3b66bea51ed16ca07da98ccf410e90ddd6e95c2

SHA512
a8abd219c73f8742cff7ea7b3ac73bc7276c9040c2f6ba6d868029129fd95c04c5346534bd6a83f0dd32d7ee6b81b45c702958914557cffc87a355648de84f84

Download Submit
\Users\Admin\AppData\Local\Temp\9_105\akfng.exe
Filesize
915KB

MD5
303c86d5e26a663bdb09481f93be2e90

SHA1
b269a394afcf82a26150a8e16daa933176c1d3b2

SHA256
1f13ccb643426fc2b63d2b8492ffd29eb86eb5de53ce3a7f598823fb5311263f

SHA512
7c239f299d29ecd4015e8b53da93188dc814d135597e49b81178ac3da7be1faed8cf2eef41d3eb8b6bbd8f06e6e09fd49b3e0346f1bd3a5c5acca1703b6de955

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
2.1MB

MD5
71bc3a380454c4bf0c29f7ce462f5a44

SHA1
13d0575bffee9c37a4bd83f9636b1f0cd028f975

SHA256
c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df

SHA512
03da38432163c1c5f4b063eae32933492b9f60e21f6016c0a1c5c27d46d447672002fe0b82fbb648f497c35549497c999a6f8f68dc2567d350f30bf1eb6db5aa

Download Submit
memory/1408-92-0x0000000000000000-mapping.dmp

Download
memory/1428-85-0x0000000000000000-mapping.dmp

Download
memory/1576-107-0x0000000000000000-mapping.dmp

Download
memory/1580-105-0x0000000000000000-mapping.dmp

Download
memory/1628-99-0x0000000000000000-mapping.dmp

Download
memory/1692-94-0x0000000000000000-mapping.dmp

Download
memory/2032-68-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-67-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-81-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-83-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-82-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-79-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-78-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-76-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-77-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-75-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-74-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-71-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-72-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-73-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-70-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-69-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-54-0x000000002F211000-0x000000002F214000-memory.dmp

Filesize
12KB

Download
memory/2032-80-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-66-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-65-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-64-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-63-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-59-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-60-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-61-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-62-0x0000000000451000-0x000000000045C000-memory.dmp

Filesize
44KB

Download
memory/2032-58-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000072ACD000-0x0000000072AD8000-memory.dmp

Filesize
44KB

Download
memory/2032-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-114-0x0000000072ACD000-0x0000000072AD8000-memory.dmp

Filesize
44KB

Download
memory/2032-55-0x0000000071AE1000-0x0000000071AE3000-memory.dmp

Filesize
8KB

Download
memory/2032-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-117-0x0000000072ACD000-0x0000000072AD8000-memory.dmp

Filesize
44KB

Download