Malware Analysis Report

2025-06-16 05:13

Sample ID 230127-k7w6esab24
Target Doc_230127.xlsx
SHA256 c59569a4dcfea9baca6013c1abdc304577907e8cc1659fc8df93d6bb48129845
Tags
formbook xloader poub loader rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c59569a4dcfea9baca6013c1abdc304577907e8cc1659fc8df93d6bb48129845

Threat Level: Known bad

The file Doc_230127.xlsx was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader rat spyware stealer trojan

Xloader

Formbook

Xloader payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Launches Equation Editor

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-27 09:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-27 09:15

Reported

2023-01-27 09:17

Platform

win7-20220812-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Public\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1820 set thread context of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1188 set thread context of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Windows\Explorer.EXE
PID 1968 set thread context of 1352 N/A C:\Windows\SysWOW64\control.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\control.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 944 wrote to memory of 1840 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1840 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1840 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1840 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 1840 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 1840 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 1840 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 1980 wrote to memory of 1820 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1980 wrote to memory of 1820 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1980 wrote to memory of 1820 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1980 wrote to memory of 1820 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1820 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1820 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1820 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1820 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1820 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe
PID 1352 wrote to memory of 1968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1352 wrote to memory of 1968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1352 wrote to memory of 1968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1352 wrote to memory of 1968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1968 wrote to memory of 1796 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 1796 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 1796 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 1796 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Doc_230127.xlsx

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe

C:\Users\Public\name.exe

C:\Users\Public\name.exe

C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe

"C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe" C:\Users\Admin\AppData\Local\Temp\rznlc.m

C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe

"C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\SysWOW64\control.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe"

Network

Country Destination Domain Proto
N/A 64.93.80.148:80 64.93.80.148 tcp
N/A 8.8.8.8:53 www.ppparadise.xyz udp
N/A 133.167.73.73:80 www.ppparadise.xyz tcp
N/A 8.8.8.8:53 www.pmtj013.xyz udp
N/A 8.8.8.8:53 www.w3bsports.club udp
N/A 34.102.136.180:80 www.w3bsports.club tcp
N/A 8.8.8.8:53 www.the83company.com udp
N/A 212.1.210.69:80 www.the83company.com tcp
N/A 8.8.8.8:53 www.kcgjz.top udp
N/A 188.114.97.0:80 www.kcgjz.top tcp
N/A 8.8.8.8:53 www.cheapboden.com udp
N/A 172.67.212.73:80 www.cheapboden.com tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.9844hh.com udp
N/A 154.215.156.2:80 www.9844hh.com tcp
N/A 8.8.8.8:53 www.crimsonnight.org udp
N/A 34.117.168.233:80 www.crimsonnight.org tcp
N/A 8.8.8.8:53 www.bayuerlangga.com udp
N/A 203.175.9.15:80 www.bayuerlangga.com tcp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp

Files

memory/1160-54-0x000000002F4E1000-0x000000002F4E4000-memory.dmp

memory/1160-55-0x0000000071171000-0x0000000071173000-memory.dmp

memory/1160-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1160-57-0x000000007215D000-0x0000000072168000-memory.dmp

memory/1160-58-0x0000000075A91000-0x0000000075A93000-memory.dmp

memory/1840-60-0x0000000000000000-mapping.dmp

\Users\Public\name.exe

MD5 f020e4ab9dacdc83e6b1a4537b5338bc
SHA1 2006686a3a91ed7892cffc9b1bc68c57d59118b3
SHA256 3290889312a146f7ed60102439cb580f84057c98c530c31cae7461b2764f5ad4
SHA512 b959b9b3cebd08a09dddad4933be828a3ce4d45269d64121cb2009898e2cc0508fd36ee7b3bb1dc00ed32ca7071d59a0173b3d17ac88184b8a083ef64820585a

C:\Users\Public\name.exe

MD5 f020e4ab9dacdc83e6b1a4537b5338bc
SHA1 2006686a3a91ed7892cffc9b1bc68c57d59118b3
SHA256 3290889312a146f7ed60102439cb580f84057c98c530c31cae7461b2764f5ad4
SHA512 b959b9b3cebd08a09dddad4933be828a3ce4d45269d64121cb2009898e2cc0508fd36ee7b3bb1dc00ed32ca7071d59a0173b3d17ac88184b8a083ef64820585a

memory/1980-63-0x0000000000000000-mapping.dmp

C:\Users\Public\name.exe

MD5 f020e4ab9dacdc83e6b1a4537b5338bc
SHA1 2006686a3a91ed7892cffc9b1bc68c57d59118b3
SHA256 3290889312a146f7ed60102439cb580f84057c98c530c31cae7461b2764f5ad4
SHA512 b959b9b3cebd08a09dddad4933be828a3ce4d45269d64121cb2009898e2cc0508fd36ee7b3bb1dc00ed32ca7071d59a0173b3d17ac88184b8a083ef64820585a

\Users\Admin\AppData\Local\Temp\ozggicxy.exe

MD5 f73f9940d91bb012db1ea328b3897c82
SHA1 a2168931605a10f3604dc2c24504d82a51ab6e99
SHA256 2cd78183a6fca82b8e05a38466051f56529a1f5843cfd6bf7274ffe30e9abf57
SHA512 e74c2ac031aab4ede16a0b2525a22545b555c3e659fed10079a9921e3620e42b22f2052ec5f930519881a3b7e2dd1afbd0931d1696d99e516466314b90aa217a

memory/1820-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe

MD5 f73f9940d91bb012db1ea328b3897c82
SHA1 a2168931605a10f3604dc2c24504d82a51ab6e99
SHA256 2cd78183a6fca82b8e05a38466051f56529a1f5843cfd6bf7274ffe30e9abf57
SHA512 e74c2ac031aab4ede16a0b2525a22545b555c3e659fed10079a9921e3620e42b22f2052ec5f930519881a3b7e2dd1afbd0931d1696d99e516466314b90aa217a

memory/1160-69-0x000000006C521000-0x000000006C523000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rznlc.m

MD5 56075b8221603dd51f2e7cc79097c954
SHA1 0df59bf418b3398bb248b63ff834e7dea05596f0
SHA256 0775d03420d1805c24855734fdcbe12f7dc1d1bd150b345274495054b41576dc
SHA512 47bb8745800a315fb7f8b6717a70fa6b5c648309c02954bb41faccd29c42be7d8e6a1d1de1cae946e2893cb0660be93fd6487891364941279656723db004086c

C:\Users\Admin\AppData\Local\Temp\nfekeauyiy.uih

MD5 62db7e07dd4481e9b594a97c4b97281a
SHA1 0996af042cee334be6c8d71b689e1c3405dba59e
SHA256 e0ab3c275ba03990a2f28abd8f37f8ff078fb8dce7fb939c6029631a5b4018a6
SHA512 90823ffa0232b7c18bb927dfbd87f4e5220bcf8e23f55d6638ac6ca26c29341c2ed80b2039f3893323a315071f64c572cbee70f33dd9fa2c723465a6b476e23a

\Users\Admin\AppData\Local\Temp\ozggicxy.exe

MD5 f73f9940d91bb012db1ea328b3897c82
SHA1 a2168931605a10f3604dc2c24504d82a51ab6e99
SHA256 2cd78183a6fca82b8e05a38466051f56529a1f5843cfd6bf7274ffe30e9abf57
SHA512 e74c2ac031aab4ede16a0b2525a22545b555c3e659fed10079a9921e3620e42b22f2052ec5f930519881a3b7e2dd1afbd0931d1696d99e516466314b90aa217a

C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe

MD5 f73f9940d91bb012db1ea328b3897c82
SHA1 a2168931605a10f3604dc2c24504d82a51ab6e99
SHA256 2cd78183a6fca82b8e05a38466051f56529a1f5843cfd6bf7274ffe30e9abf57
SHA512 e74c2ac031aab4ede16a0b2525a22545b555c3e659fed10079a9921e3620e42b22f2052ec5f930519881a3b7e2dd1afbd0931d1696d99e516466314b90aa217a

memory/1188-74-0x000000000041FF10-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ozggicxy.exe

MD5 f73f9940d91bb012db1ea328b3897c82
SHA1 a2168931605a10f3604dc2c24504d82a51ab6e99
SHA256 2cd78183a6fca82b8e05a38466051f56529a1f5843cfd6bf7274ffe30e9abf57
SHA512 e74c2ac031aab4ede16a0b2525a22545b555c3e659fed10079a9921e3620e42b22f2052ec5f930519881a3b7e2dd1afbd0931d1696d99e516466314b90aa217a

memory/1160-76-0x000000006C8E1000-0x000000006C8E3000-memory.dmp

memory/1188-77-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1188-78-0x0000000000890000-0x0000000000B93000-memory.dmp

memory/1352-80-0x0000000006820000-0x000000000696A000-memory.dmp

memory/1188-79-0x0000000000340000-0x0000000000351000-memory.dmp

memory/1160-81-0x000000007215D000-0x0000000072168000-memory.dmp

memory/1968-82-0x0000000000000000-mapping.dmp

memory/1796-84-0x0000000000000000-mapping.dmp

memory/1968-85-0x0000000000950000-0x000000000096F000-memory.dmp

memory/1968-87-0x0000000001F00000-0x0000000002203000-memory.dmp

memory/1968-86-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1968-88-0x0000000001D70000-0x0000000001E00000-memory.dmp

memory/1968-89-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1352-90-0x0000000003F80000-0x000000000405D000-memory.dmp

memory/1352-91-0x0000000003F80000-0x000000000405D000-memory.dmp

memory/1160-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1160-93-0x000000007215D000-0x0000000072168000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-27 09:15

Reported

2023-01-27 09:17

Platform

win10v2004-20220812-en

Max time kernel

101s

Max time network

137s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_230127.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_230127.xlsx"

Network

Country Destination Domain Proto
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp

Files

memory/5044-132-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-133-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-134-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-135-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-136-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-137-0x00007FF7F2860000-0x00007FF7F2870000-memory.dmp

memory/5044-138-0x00007FF7F2860000-0x00007FF7F2870000-memory.dmp

memory/5044-140-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-141-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-142-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp

memory/5044-143-0x00007FF7F5170000-0x00007FF7F5180000-memory.dmp