crimsonrat | a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82

Resubmissions

15-11-2023 08:58

231115-kw7ssafc93 10

14-11-2023 09:28

231114-lfdqfaba74 10

Analysis

max time kernel
127s
max time network
257s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82.xlam
Size

3.4MB
MD5

41d801d96c9e27c5ca6c4678ffa2d7e2
SHA1

f8c6b5b4c520c2416bea015451cc8aca3283abe6
SHA256

a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82
SHA512

58bfe64961ed881bb1489a5e298f4302d26568c770b5422aff36952514c33c91b588a000554e75581939b98185d2ca7681042e288215e8d62468f028bf8c847c
SSDEEP

98304:Wal3ZM+KyXAQ5036pRV4sWWL4lxoeF35abXerDX6:dM+Kg503C74uL4XD8qK

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

64.188.21.202

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

itugpisacrev.com

pid process

2148 itugpisacrev.com
Loads dropped DLL 1 IoCs

Processes:

EXCEL.EXE

pid process

2392 EXCEL.EXE
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
2148	itugpisacrev.com

pid	process
2392	EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\Downloads\942\mydocs.zip\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2392 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

itugpisacrev.com

pid process

2148 itugpisacrev.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

itugpisacrev.com

description pid process

Token: SeDebugPrivilege 2148 itugpisacrev.com
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

EXCEL.EXE

pid process

2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXE

pid process

2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE
2392 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\Downloads\942\mydocs.zip\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
2392	EXCEL.EXE

pid	process
2148	itugpisacrev.com

description	pid	process
Token: SeDebugPrivilege	2148	itugpisacrev.com

pid	process
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE

pid	process
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE
2392	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 2392 wrote to memory of 2148	2392	EXCEL.EXE	itugpisacrev.com
PID 2392 wrote to memory of 2148	2392	EXCEL.EXE	itugpisacrev.com
PID 2392 wrote to memory of 2148	2392	EXCEL.EXE	itugpisacrev.com
PID 2392 wrote to memory of 2148	2392	EXCEL.EXE	itugpisacrev.com
PID 2392 wrote to memory of 3044	2392	EXCEL.EXE	splwow64.exe
PID 2392 wrote to memory of 3044	2392	EXCEL.EXE	splwow64.exe
PID 2392 wrote to memory of 3044	2392	EXCEL.EXE	splwow64.exe
PID 2392 wrote to memory of 3044	2392	EXCEL.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82.xlam
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\Downloads\942\itugpisacrev.com
  C:\Users\Admin\Downloads\942\itugpisacrev.com
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DOWNLO~1\942\OLEOBJ~1.ZIP

Filesize
3.5MB

MD5
22ec8f10e85d07c61783da6ef409b698

SHA1
0f1c60575fd3d3e78d8b8d677de32d4a3547ffec

SHA256
64c23c177bbeca04906058918c26b80b2fee7774f9ad3682bf14142c8fc32fb0

SHA512
8f53f8e29c73fbaf5867b0c55fbf57c1e3a7f1d59008a379b37f0649d7f3660d31ea4d047256dc7d728ed79ae54ebe928eed631a247ec2ae6e84f5e92b44ef70

Download Submit
C:\Users\Admin\DOWNLO~1\942\mydocs.zip

Filesize
3.4MB

MD5
41d801d96c9e27c5ca6c4678ffa2d7e2

SHA1
f8c6b5b4c520c2416bea015451cc8aca3283abe6

SHA256
a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82

SHA512
58bfe64961ed881bb1489a5e298f4302d26568c770b5422aff36952514c33c91b588a000554e75581939b98185d2ca7681042e288215e8d62468f028bf8c847c

Download Submit
C:\Users\Admin\Downloads\942\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
C:\Users\Admin\Downloads\942\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
C:\Users\Admin\Downloads\942\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
C:\Users\Admin\Downloads\942\mydocs.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\942\xl\embeddings\itugpisacrev.zip

Filesize
3.5MB

MD5
c01bae9b26a56b279615f4fe3ed44421

SHA1
7c4bcb10945441a46241859da769e6ff767a81b9

SHA256
eda677d25eea548857ac2cf803e652f776285418e4520dc005b4492c913ecb01

SHA512
1a90139d7d666c52f2f730d9c70df4d8735828fda17b232216b5d7bb83d0009d9fd51bd09a46c7f8a4d2051ed06ad6fca127a1438b43362988da84fed1dacaeb

Download Submit
C:\Users\Admin\Downloads\a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82.xlam.xlsx

Filesize
15KB

MD5
e6e7f06b649fc6df7f948d3450a7b344

SHA1
fb591934229a5ad5b1aa010d99e9f64fb7dfc9ca

SHA256
74e119c485fb71f3b5d5e64a271b8dd8299db5833612aa78400223c2064b2732

SHA512
cac4367865c55cb1c4490be6d53ea6a9de36b8360aa74e86118e353c369b4abb065174047c8c83ff7b6cb27d74f6400b51eea296a94b795bc5c9a6e5aac1c7d2

Download Submit
\Users\Admin\Downloads\942\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
memory/2148-346-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-347-0x00000000003F0000-0x0000000001A68000-memory.dmp

Filesize
22.5MB

Download
memory/2148-367-0x000000001C8A0000-0x000000001C920000-memory.dmp

Filesize
512KB

Download
memory/2148-366-0x000000001C8A0000-0x000000001C920000-memory.dmp

Filesize
512KB

Download
memory/2148-365-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-360-0x000000001C8A0000-0x000000001C920000-memory.dmp

Filesize
512KB

Download
memory/2148-348-0x000000001C8A0000-0x000000001C920000-memory.dmp

Filesize
512KB

Download
memory/2392-18-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2392-10-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-53-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2392-9-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-7-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-3-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-4-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-5-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-6-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-2-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-8-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-16-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-17-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-1-0x000000007243D000-0x0000000072448000-memory.dmp

Filesize
44KB

Download
memory/2392-15-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-361-0x000000007243D000-0x0000000072448000-memory.dmp

Filesize
44KB

Download
memory/2392-362-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-363-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-364-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2392-14-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-12-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2392-11-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download