Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-wxqfnsbb46
Target 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29
SHA256 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29

Threat Level: Shows suspicious behavior

The file 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Runs regedit.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:18

Reported

2024-04-07 18:20

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogdate.exe" C:\Windows\SysWOW64\regedit.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 2924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 2924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 2924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 2924 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2924 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe

"C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\kb71271.log

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde

Network

Country Destination Domain Proto
US 8.8.8.8:53 wwap.publiclol.com udp
US 3.130.204.160:80 wwap.publiclol.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp

Files

\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe

MD5 ba4f88fe44d02a299dbeab18c37f74f3
SHA1 f77d5dfccc1796b6f93156dea470c3bf20dba6c8
SHA256 8a12e9117f023c7207272ff291ee1a686b636890cd616b92cff990c369d993f6
SHA512 badfaaa1a89a8184d7715fbde0a578876863ec517e27096c6621b11dcfdf7585e9039ab33b019fa01dcbed3194a990aecc3fe1c5a3646c54dee9208377c87504

C:\Users\Admin\AppData\Local\Temp\kb71271.log

MD5 7a7e633bc48b5bfbca53c568eaa28fe6
SHA1 32956698ceca3a79f21be91d655a6265dbd325b2
SHA256 7707e565fa020d2b20ff2a9650ff9a5f2d64323474dc4e4253dc4b53c4ecabfc
SHA512 3592b4ff34b7d85ddb225d2f0573208e12b3b62a76f3dffe7a36790c26a586544ab52973cb9c0eb587f27352d7e88f0a475d29426f977e53d71628bbd84e6f39

memory/2416-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2416-37-0x0000000072BAD000-0x0000000072BB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~tasyd3.xls

MD5 3e6e32ff547a361fea67cb9198016a34
SHA1 3617400d2f3cbfed0ab1427c50bd7b58e52e43fa
SHA256 970eebd3a719020c9fc2f58b58d1c7104498a76e71885ec39b41323b520494e4
SHA512 f3cf6b2b2f95d5fca07179e07e0163c2447ac297c1efc88d374d50d99595fcb9c536a32ba8d4c38953d66b7e8425b8883da89fd001324a385a8772ad8343f73b

memory/2416-39-0x0000000072BAD000-0x0000000072BB8000-memory.dmp

memory/2416-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2416-41-0x0000000072BAD000-0x0000000072BB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:18

Reported

2024-04-07 18:20

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogdate.exe" C:\Windows\SysWOW64\regedit.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 1804 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 1804 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe
PID 1804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 1804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 1804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Windows\SysWOW64\regedit.exe
PID 1804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 1804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 1804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe

"C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\kb71271.log

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 908

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\~tasyd3.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 wwap.publiclol.com udp
US 3.130.204.160:80 wwap.publiclol.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 160.204.130.3.in-addr.arpa udp
US 8.8.8.8:53 37.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 211.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe

MD5 ba4f88fe44d02a299dbeab18c37f74f3
SHA1 f77d5dfccc1796b6f93156dea470c3bf20dba6c8
SHA256 8a12e9117f023c7207272ff291ee1a686b636890cd616b92cff990c369d993f6
SHA512 badfaaa1a89a8184d7715fbde0a578876863ec517e27096c6621b11dcfdf7585e9039ab33b019fa01dcbed3194a990aecc3fe1c5a3646c54dee9208377c87504

C:\Users\Admin\AppData\Local\Temp\kb71271.log

MD5 7a7e633bc48b5bfbca53c568eaa28fe6
SHA1 32956698ceca3a79f21be91d655a6265dbd325b2
SHA256 7707e565fa020d2b20ff2a9650ff9a5f2d64323474dc4e4253dc4b53c4ecabfc
SHA512 3592b4ff34b7d85ddb225d2f0573208e12b3b62a76f3dffe7a36790c26a586544ab52973cb9c0eb587f27352d7e88f0a475d29426f977e53d71628bbd84e6f39

C:\Users\Admin\AppData\Local\Temp\~tasyd3.xls

MD5 3e6e32ff547a361fea67cb9198016a34
SHA1 3617400d2f3cbfed0ab1427c50bd7b58e52e43fa
SHA256 970eebd3a719020c9fc2f58b58d1c7104498a76e71885ec39b41323b520494e4
SHA512 f3cf6b2b2f95d5fca07179e07e0163c2447ac297c1efc88d374d50d99595fcb9c536a32ba8d4c38953d66b7e8425b8883da89fd001324a385a8772ad8343f73b

memory/2552-25-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-28-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-26-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-27-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-29-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-30-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-32-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-31-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-34-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-35-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-36-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-37-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-33-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-38-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-39-0x00007FFA3AF00000-0x00007FFA3AF10000-memory.dmp

memory/2552-40-0x00007FFA3AF00000-0x00007FFA3AF10000-memory.dmp

memory/2552-53-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-54-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-68-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-69-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-70-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-71-0x00007FFA3D7B0000-0x00007FFA3D7C0000-memory.dmp

memory/2552-72-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp

memory/2552-73-0x00007FFA7D730000-0x00007FFA7D925000-memory.dmp