Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937.xlam
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937.xlam
Resource
win10v2004-20240419-en
General
-
Target
26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937.xlam
-
Size
718KB
-
MD5
989feda4871b86bfbcec9debb0b2ec45
-
SHA1
05ef3f9b7d77b9709423222a81d670cbcae013cd
-
SHA256
26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937
-
SHA512
ba62b7d1cc358aa8e3525bbb0988274823feef6f485cc9ec2d5d43734c35f0f1d9c978bed490ea6b4cfc25e86a4df5788be8b3bbb3677064be3895d3becd4c44
-
SSDEEP
12288:r8nWilHGpyCdswU+rUUfvPn9mw1Z68YnQgtJPskWBMpINmNGWBn:Y/0RuFLUfvPn9tk8E7xWuWLWBn
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral1/memory/2852-46-0x0000000000280000-0x00000000002D4000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-47-0x0000000000DA0000-0x0000000000DF2000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-69-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-83-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-97-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-107-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-105-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-103-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-101-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-99-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-95-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-93-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-91-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-89-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-87-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-85-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-81-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-79-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-75-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-73-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-71-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-67-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-65-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-63-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-61-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-59-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-77-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-57-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-55-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-53-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-51-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-49-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 behavioral1/memory/2852-48-0x0000000000DA0000-0x0000000000DED000-memory.dmp family_zgrat_v1 -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2596 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2808 CKK.exe 3000 CKK.exe 2720 CKK.exe -
Loads dropped DLL 1 IoCs
pid Process 2596 EQNEDT32.EXE -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000015ced-6.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2720 set thread context of 2852 2720 CKK.exe 36 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2596 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2460 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2852 RegSvcs.exe 2852 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2808 CKK.exe 3000 CKK.exe 2720 CKK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2852 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2460 EXCEL.EXE 2460 EXCEL.EXE 2460 EXCEL.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2808 2596 EQNEDT32.EXE 29 PID 2596 wrote to memory of 2808 2596 EQNEDT32.EXE 29 PID 2596 wrote to memory of 2808 2596 EQNEDT32.EXE 29 PID 2596 wrote to memory of 2808 2596 EQNEDT32.EXE 29 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 2580 2808 CKK.exe 32 PID 2808 wrote to memory of 3000 2808 CKK.exe 33 PID 2808 wrote to memory of 3000 2808 CKK.exe 33 PID 2808 wrote to memory of 3000 2808 CKK.exe 33 PID 2808 wrote to memory of 3000 2808 CKK.exe 33 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 1960 3000 CKK.exe 34 PID 3000 wrote to memory of 2720 3000 CKK.exe 35 PID 3000 wrote to memory of 2720 3000 CKK.exe 35 PID 3000 wrote to memory of 2720 3000 CKK.exe 35 PID 3000 wrote to memory of 2720 3000 CKK.exe 35 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36 PID 2720 wrote to memory of 2852 2720 CKK.exe 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937.xlam1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2460
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Roaming\CKK.exe"C:\Users\Admin\AppData\Roaming\CKK.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\CKK.exe"3⤵PID:2580
-
-
C:\Users\Admin\AppData\Roaming\CKK.exe"C:\Users\Admin\AppData\Roaming\CKK.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\CKK.exe"4⤵PID:1960
-
-
C:\Users\Admin\AppData\Roaming\CKK.exe"C:\Users\Admin\AppData\Roaming\CKK.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\CKK.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD55a70b0e741e9be8a93a6353e6cdb6bbd
SHA1567c37816d5101104953f1cc5a9f0d74e78b9f5c
SHA256aace6ca3b7215b5bf87c91167d4fb7c008ce0f4b9fa3b77877f3123018d066f5
SHA512e1f21571d366462b73c1b7b1954e70a99e13a651f470bdfbc42f9f0f86034ce60761379bc0eff1ed78cf8c6fbf85c10ab38b3bb4819a34031ade083833955723
-
Filesize
259KB
MD5f2a14bb5825833ac7a44fa6f80757411
SHA19d3aa84ba40b44968b3f69c38f950b55ff042053
SHA2566854140a8f1472c3e84b6f1d6390920ae5737c67961e809de10c34fefd8663d4
SHA51266c5273428e48f6c2e596e7300d169043567fbabfebcd037446b0ac433ef779ba3d5a40f1e237ab1b0d3a43154563cb31afa274a5a694e4cdc67c5dc993e7ffa
-
Filesize
9KB
MD552ea0d31e75e368b28ca2a58a9e653fc
SHA12ae4801acaa0fda9fc8975c9c29dce1c1c6204c0
SHA256bdffc8ea3ebb6411b678ca19e5dd6d1199b8c44bd8ce53e42a8d99933074de2f
SHA5128dd97ad2b44a01b3ea8e0221b82b97493cb832b22bc88802957dc90d9351466ef1fca3f1ce25ab25c890c32f5c0b9950d642621a8e8138d37e32f995f5ffc993
-
Filesize
28KB
MD58285d336395c7b6e421735e4c8100590
SHA1bfeacb0473beea2dc4c9c634064467e1d0d70750
SHA2562324e3f83072804cb47bac17572dc6325b04ba13e6e4b0fd4aa40aaa45aa8d02
SHA512fbae37b6fb95499389ed67f6a630f91ae053dc1ce5ec79eade84d10e79641c91074ca00be90ad0d34b7c35355b9cdc7c3ca33842e0990d9e176cac06dc311580
-
Filesize
1.2MB
MD56dbf70053a37b13c106c623e0934ddff
SHA11362f71bac0d64092f13f5f9b84e235d6a369055
SHA2565d4011e1b0a3cdc0052863536e959285012767be9a39ffb95faf811836536922
SHA5123a4ec594d47fcc5551010d5e20fc5b317cc98c9c0dbd46f94b6f96002445c4e63db649b4579e72c07a9dc24192fd07b7f84b0d1970c7729ceb7ffdb04d51f2cf