c8638e2a29455a9f17ae246aca7156fe7346e95a9abe66fd8832ab3ff6a58746

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07586499.xls
Size

1.7MB
MD5

f939f0754dbf01ab04a9ad14e219a9b2
SHA1

e3812c98288b7d8fa029aad9ba44df7872a2ca9b
SHA256

c8638e2a29455a9f17ae246aca7156fe7346e95a9abe66fd8832ab3ff6a58746
SHA512

d745b03012a5bd3e49819ff8edd49d8eb073f49a1072568892d23c1f307a2f35f5304c36b54dfdfc1bf05bf24c5a145824de35e2db4ca6046a8024fde4a5319e
SSDEEP

49152:kuQ9zPjPyGiTupw1A+cJbm5Qs633AO05:kN52BTYZ+qbm5QBw

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	816	2016	svchost.exe	26

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	568	EQNEDT32.EXE

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\International\Geo\Nation	cleanmgr_rse.exe

Executes dropped EXE 2 IoCs

pid	Process
552	cleanmgr_rse.exe
1328	cleanmgr_rse.exe

Loads dropped DLL 3 IoCs

pid	Process
568	EQNEDT32.EXE
552	cleanmgr_rse.exe
816	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 552 set thread context of 1328	552	cleanmgr_rse.exe	31
PID 1328 set thread context of 2016	1328	cleanmgr_rse.exe	26
PID 816 set thread context of 1280	816	svchost.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
568	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2016	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1328	cleanmgr_rse.exe
1328	cleanmgr_rse.exe
1328	cleanmgr_rse.exe
1328	cleanmgr_rse.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
552	cleanmgr_rse.exe
1328	cleanmgr_rse.exe
1328	cleanmgr_rse.exe
1328	cleanmgr_rse.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	cleanmgr_rse.exe
Token: SeDebugPrivilege	816	svchost.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2016	EXCEL.EXE
2016	EXCEL.EXE
2016	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 552	568	EQNEDT32.EXE	30
PID 568 wrote to memory of 552	568	EQNEDT32.EXE	30
PID 568 wrote to memory of 552	568	EQNEDT32.EXE	30
PID 568 wrote to memory of 552	568	EQNEDT32.EXE	30
PID 552 wrote to memory of 1328	552	cleanmgr_rse.exe	31
PID 552 wrote to memory of 1328	552	cleanmgr_rse.exe	31
PID 552 wrote to memory of 1328	552	cleanmgr_rse.exe	31
PID 552 wrote to memory of 1328	552	cleanmgr_rse.exe	31
PID 552 wrote to memory of 1328	552	cleanmgr_rse.exe	31
PID 2016 wrote to memory of 816	2016	EXCEL.EXE	32
PID 2016 wrote to memory of 816	2016	EXCEL.EXE	32
PID 2016 wrote to memory of 816	2016	EXCEL.EXE	32
PID 2016 wrote to memory of 816	2016	EXCEL.EXE	32
PID 816 wrote to memory of 1440	816	svchost.exe	34
PID 816 wrote to memory of 1440	816	svchost.exe	34
PID 816 wrote to memory of 1440	816	svchost.exe	34
PID 816 wrote to memory of 1440	816	svchost.exe	34
PID 816 wrote to memory of 1440	816	svchost.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1280
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\07586499.xls
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - Process spawned unexpected child process
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:1440

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Public\cleanmgr_rse.exe
  "C:\Users\Public\cleanmgr_rse.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Public\cleanmgr_rse.exe
    "C:\Users\Public\cleanmgr_rse.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\m06xzr.zip

Filesize
486KB

MD5
1e73cacce02ae20026a81f1e56416aa3

SHA1
f491a7301ce11cf11a92c0245c7e03d927422286

SHA256
0dd0dd38cde5a14e7d6d0830db62cc7037e521fd042b0b8da0763128b2c0b3f2

SHA512
afe77facd8b16cc744ac2277414ffaf83436999d15eb8ac707f8098e2f8ed4cb29b430392ebe46b7fa65b20730615bc33dee9416f7141da5032a630894980a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5718.tmp\whuge.dll

Filesize
44KB

MD5
ae322cc2e6d5ef8496cb9057dee16ad1

SHA1
29081880652818f488394bcd3b0c3030db695e67

SHA256
2327a2e070e40aa90e3534d9acbcebfc5af17a26eeb05a4d80faec633a3dff43

SHA512
ac18e87a630659d9d98e6ed03ba377e9cf74be17908a4ef9332ba20b58fbbd10fbc662871773569da56843f18c88e278d31f819d7e062a16c8fb8f994b200707

Download Submit
C:\Users\Public\cleanmgr_rse.exe

Filesize
267KB

MD5
d08a460cac4ff3eea6484336953a0d08

SHA1
662dd7717e21aebe261d44b57842aea44c2c8939

SHA256
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

SHA512
c88ec4c8b5efe86fc14af8ea266986780a4a48030715ced616a1cd857667be7b0b05d4ae414495190ae3065a302b49a603d028257f923579017ab05a48a5d175

Download Submit
C:\Users\Public\cleanmgr_rse.exe

Filesize
267KB

MD5
d08a460cac4ff3eea6484336953a0d08

SHA1
662dd7717e21aebe261d44b57842aea44c2c8939

SHA256
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

SHA512
c88ec4c8b5efe86fc14af8ea266986780a4a48030715ced616a1cd857667be7b0b05d4ae414495190ae3065a302b49a603d028257f923579017ab05a48a5d175

Download Submit
C:\Users\Public\cleanmgr_rse.exe

Filesize
267KB

MD5
d08a460cac4ff3eea6484336953a0d08

SHA1
662dd7717e21aebe261d44b57842aea44c2c8939

SHA256
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

SHA512
c88ec4c8b5efe86fc14af8ea266986780a4a48030715ced616a1cd857667be7b0b05d4ae414495190ae3065a302b49a603d028257f923579017ab05a48a5d175

Download Submit
C:\Users\Public\cleanmgr_rse.exe

Filesize
267KB

MD5
d08a460cac4ff3eea6484336953a0d08

SHA1
662dd7717e21aebe261d44b57842aea44c2c8939

SHA256
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

SHA512
c88ec4c8b5efe86fc14af8ea266986780a4a48030715ced616a1cd857667be7b0b05d4ae414495190ae3065a302b49a603d028257f923579017ab05a48a5d175

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\whuge.dll

Filesize
44KB

MD5
ae322cc2e6d5ef8496cb9057dee16ad1

SHA1
29081880652818f488394bcd3b0c3030db695e67

SHA256
2327a2e070e40aa90e3534d9acbcebfc5af17a26eeb05a4d80faec633a3dff43

SHA512
ac18e87a630659d9d98e6ed03ba377e9cf74be17908a4ef9332ba20b58fbbd10fbc662871773569da56843f18c88e278d31f819d7e062a16c8fb8f994b200707

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
927KB

MD5
7fd80b1cc72dc580c02ca4cfbfb2592d

SHA1
18da905af878b27151b359cf1a7d0a650764e8a1

SHA256
1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

SHA512
13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

Download Submit
\Users\Public\cleanmgr_rse.exe

Filesize
267KB

MD5
d08a460cac4ff3eea6484336953a0d08

SHA1
662dd7717e21aebe261d44b57842aea44c2c8939

SHA256
eef51981f7cdb215ed2578d443d27eddbed6dcaa37c568200edfc545b43ec69d

SHA512
c88ec4c8b5efe86fc14af8ea266986780a4a48030715ced616a1cd857667be7b0b05d4ae414495190ae3065a302b49a603d028257f923579017ab05a48a5d175

Download Submit
memory/552-78-0x0000000002B60000-0x0000000002B62000-memory.dmp

Filesize
8KB

Download
memory/816-92-0x00000000003D0000-0x000000000045F000-memory.dmp

Filesize
572KB

Download
memory/816-90-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/816-140-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/816-87-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/816-88-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/816-89-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1280-91-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1280-96-0x00000000065D0000-0x0000000006675000-memory.dmp

Filesize
660KB

Download
memory/1280-138-0x00000000065D0000-0x0000000006675000-memory.dmp

Filesize
660KB

Download
memory/1328-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-82-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/2016-84-0x00000000076F0000-0x00000000077D2000-memory.dmp

Filesize
904KB

Download
memory/2016-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-94-0x00000000076F0000-0x00000000077D2000-memory.dmp

Filesize
904KB

Download
memory/2016-153-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download