Malware Analysis Report

2024-09-22 11:24

Sample ID 230924-q7w4bahb99
Target c7448faf4e8737ed7260e0c0d48c56ba74b54e558805b869d28902d0b5a911eb_JC.lzh
SHA256 c7448faf4e8737ed7260e0c0d48c56ba74b54e558805b869d28902d0b5a911eb
Tags
hawkeye collection evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7448faf4e8737ed7260e0c0d48c56ba74b54e558805b869d28902d0b5a911eb

Threat Level: Known bad

The file c7448faf4e8737ed7260e0c0d48c56ba74b54e558805b869d28902d0b5a911eb_JC.lzh was found to be: Known bad.

Malicious Activity Summary

hawkeye collection evasion keylogger persistence spyware stealer trojan

HawkEye

Nirsoft

NirSoft MailPassView

Looks for VirtualBox Guest Additions in registry

NirSoft WebBrowserPassView

Looks for VMWare Tools registry key

Checks computer location settings

Checks BIOS information in registry

Uses the VBS compiler for execution

Adds Run key to start application

Maps connected drives based on registry

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-09-24 13:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-24 13:54

Reported

2023-09-24 13:57

Platform

win7-20230831-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2244 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe

"C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pbFphueKZdI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C30.tmp"

C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.lucd.shop udp
US 109.106.251.58:587 mail.lucd.shop tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.141:80 apps.identrust.com tcp

Files

memory/2244-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2244-0-0x0000000000A90000-0x0000000000BB8000-memory.dmp

memory/2244-2-0x0000000004F90000-0x0000000004FD0000-memory.dmp

memory/2244-3-0x00000000005A0000-0x00000000005AC000-memory.dmp

memory/2244-4-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2244-5-0x0000000004F90000-0x0000000004FD0000-memory.dmp

memory/2244-6-0x0000000005E90000-0x0000000005F58000-memory.dmp

memory/2244-7-0x0000000004EF0000-0x0000000004F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C30.tmp

MD5 de367dee3bcbd57818686c35a11db802
SHA1 48bff87063472ebf696a5d55e9a1e4efc4c94195
SHA256 be8283e371c17225c7fe3c9498e4254eea1e5fce650cc921a5f7158d46b93c9e
SHA512 5e13b4047d791dafa44a81da05de72683bf58bb13e616749b4c117d176201d27377bf40e512e07470915490e14a42ef6fc21d4ceca3a35ccede114dccf089448

memory/2552-11-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-13-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-14-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-16-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2552-19-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-21-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-23-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2552-26-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/2552-25-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2244-24-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2552-31-0x0000000000560000-0x0000000000568000-memory.dmp

memory/2868-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2868-35-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2868-36-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2552-34-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/2552-37-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2552-38-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/2868-40-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2416-41-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2416-43-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2416-44-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2416-48-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab12.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar295.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a05a9202576a3a1369cb01137958ad4
SHA1 dc2f0d7e4d6e703a61b74ba1610413785d351418
SHA256 d68b76cc9a11d44795f38297825cb7da318d631249223750d45d486e72692f50
SHA512 9be84f3ee78dbbb8aec0f4ede1f6d77e47cfe267d78abe7d967bb590475ac029d767d24d3e568e0d1dc9f64618af47f7749b8de3d1aee4543ee9ece1c21a958c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-24 13:54

Reported

2023-09-24 13:57

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1412 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe

"C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pbFphueKZdI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp"

C:\Users\Admin\AppData\Local\Temp\NO#CU-92504 Xls.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 36.154.16.104.in-addr.arpa udp
US 8.8.8.8:53 mail.lucd.shop udp
US 109.106.251.58:587 mail.lucd.shop tcp
US 8.8.8.8:53 58.251.106.109.in-addr.arpa udp

Files

memory/1412-0-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/1412-1-0x0000000000030000-0x0000000000158000-memory.dmp

memory/1412-2-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

memory/1412-3-0x0000000005200000-0x00000000057A4000-memory.dmp

memory/1412-4-0x0000000004C50000-0x0000000004CE2000-memory.dmp

memory/1412-5-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1412-6-0x0000000004B60000-0x0000000004B6A000-memory.dmp

memory/1412-7-0x0000000004E60000-0x0000000004EB6000-memory.dmp

memory/1412-8-0x0000000007980000-0x000000000798C000-memory.dmp

memory/1412-9-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/1412-10-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1412-11-0x00000000079A0000-0x0000000007A68000-memory.dmp

memory/1412-12-0x0000000005F70000-0x0000000005FF8000-memory.dmp

memory/1412-13-0x0000000006000000-0x0000000006066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp

MD5 f28fe47f8da4ffa512a7ee4f7ddc11f5
SHA1 fa4d63a6b768602f24632e63af36e777592eb02d
SHA256 f5e26cd4dac383b6e77de96474b0f228694118ecd7477cca9059b7bd998ff90a
SHA512 5e42ab94ad041445d69aaf5d78a701c6d3f1758c11ec8c95cc54ee7da179ad2dd270eb3cf80a141b4c718ffee47279aedd0103472a9dbfc2c03bf78568b60f1d

memory/1044-17-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1044-19-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/1412-20-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/1044-21-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/1044-26-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

memory/3736-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1044-29-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3736-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3736-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3736-32-0x0000000000420000-0x00000000004E9000-memory.dmp

memory/3736-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1044-34-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/1044-35-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/1044-36-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3456-37-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3456-39-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3456-40-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/3456-47-0x0000000000400000-0x0000000000458000-memory.dmp