114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order2354.xls
Size

654KB
MD5

0ea2f1e95f1c8a1917bb34a722cf78e8
SHA1

4721806e7503fcb6a630697bc348e53074a22fa2
SHA256

114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7
SHA512

9a5b836d188bf1bc8f210560492475017f2f23577a708acd82af3f0ada2446690653e4e08c1f0908306aaabd5a53f741f8987ed76bcbc00f4786784c6f5d9de8
SSDEEP

12288:/kTCQ5HK3hrUP/qPQZR8MxAm/S/xQE1A73DbFWgc4zkiVhPkLyH8gq1N:OCQ5HKRrUP/mMxCaE1GFWgJkChkqPK

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
27	2292	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
2288	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 6 IoCs

pid	Process
572	vnc.exe
2284	vnc.exe
2344	vnc.exe
3040	vnc.exe
2860	vnc.exe
308	vnc.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	EQNEDT32.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
764	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2292	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2004	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
572	vnc.exe
1932	powershell.exe
2288	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	vnc.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2004	EXCEL.EXE
2004	EXCEL.EXE
2004	EXCEL.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 572	2292	EQNEDT32.EXE	31
PID 2292 wrote to memory of 572	2292	EQNEDT32.EXE	31
PID 2292 wrote to memory of 572	2292	EQNEDT32.EXE	31
PID 2292 wrote to memory of 572	2292	EQNEDT32.EXE	31
PID 2460 wrote to memory of 2932	2460	WINWORD.EXE	32
PID 2460 wrote to memory of 2932	2460	WINWORD.EXE	32
PID 2460 wrote to memory of 2932	2460	WINWORD.EXE	32
PID 2460 wrote to memory of 2932	2460	WINWORD.EXE	32
PID 572 wrote to memory of 1932	572	vnc.exe	34
PID 572 wrote to memory of 1932	572	vnc.exe	34
PID 572 wrote to memory of 1932	572	vnc.exe	34
PID 572 wrote to memory of 1932	572	vnc.exe	34
PID 572 wrote to memory of 2288	572	vnc.exe	36
PID 572 wrote to memory of 2288	572	vnc.exe	36
PID 572 wrote to memory of 2288	572	vnc.exe	36
PID 572 wrote to memory of 2288	572	vnc.exe	36
PID 572 wrote to memory of 764	572	vnc.exe	38
PID 572 wrote to memory of 764	572	vnc.exe	38
PID 572 wrote to memory of 764	572	vnc.exe	38
PID 572 wrote to memory of 764	572	vnc.exe	38
PID 572 wrote to memory of 2284	572	vnc.exe	40
PID 572 wrote to memory of 2284	572	vnc.exe	40
PID 572 wrote to memory of 2284	572	vnc.exe	40
PID 572 wrote to memory of 2284	572	vnc.exe	40
PID 572 wrote to memory of 2344	572	vnc.exe	41
PID 572 wrote to memory of 2344	572	vnc.exe	41
PID 572 wrote to memory of 2344	572	vnc.exe	41
PID 572 wrote to memory of 2344	572	vnc.exe	41
PID 572 wrote to memory of 3040	572	vnc.exe	42
PID 572 wrote to memory of 3040	572	vnc.exe	42
PID 572 wrote to memory of 3040	572	vnc.exe	42
PID 572 wrote to memory of 3040	572	vnc.exe	42
PID 572 wrote to memory of 2860	572	vnc.exe	43
PID 572 wrote to memory of 2860	572	vnc.exe	43
PID 572 wrote to memory of 2860	572	vnc.exe	43
PID 572 wrote to memory of 2860	572	vnc.exe	43
PID 572 wrote to memory of 308	572	vnc.exe	44
PID 572 wrote to memory of 308	572	vnc.exe	44
PID 572 wrote to memory of 308	572	vnc.exe	44
PID 572 wrote to memory of 308	572	vnc.exe	44

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order2354.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2932

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\vnc.exe
  "C:\Users\Admin\AppData\Roaming\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jGiHPUkzfFmtq.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jGiHPUkzfFmtq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73C9.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:764
- - C:\Users\Admin\AppData\Roaming\vnc.exe
    "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Users\Admin\AppData\Roaming\vnc.exe
    "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Roaming\vnc.exe
    "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Executes dropped EXE
    PID:3040
- - C:\Users\Admin\AppData\Roaming\vnc.exe
    "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Users\Admin\AppData\Roaming\vnc.exe
    "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Executes dropped EXE
    PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7c0669e6df38dff7b7019bb4eed41e99

SHA1
72e3db82fcbf67d6c421455de61df7b51f65dcb8

SHA256
1ac809efcd227440a10b4842e2ea1765f85dc8042b41f4e0de29b7cfa5197992

SHA512
e1a6e93fe372925d238cf1f487efe094d2c4a254faa432551ee4ee49b96a07a6a2ba257b698c103dbd08d4d9133d1ef24eb55dbb9c7adbbb048836e4d794dd2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
bdbad4bb088b09a4adfa6da05f035bd0

SHA1
6111305b55b07a0f477881020ffdf1cfaa9a1ce0

SHA256
d65558acf4da85101028c7caaf71d49450a90138987e3992b82f5f7ff8471bf9

SHA512
3ad430433d5d6199cab245d8ac79ed274723fbc119c3668d7cb4ab480035f13ad6e6a9245da8649ca10638beef224c816f0b5fd8cc8a8e621cc88760babc3481

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62ab7c024247486cedaffb4da483a8e5

SHA1
e000f62851f4ccb1bdf6a8725b80692a9cbd6807

SHA256
63756436a94fba15d27d818368f2ad7b3d083d35e3a82daec09d5de69d7bd3a3

SHA512
9c34768842e48a21d36719b70bc91acd2f9418d34dd03c5450d91d09f3e36ac2f9a1d32334a07939935cb875280dc9a9fb4e510713f0ee2a56ea2d7ea0694fb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
2f7f07cfa1d5735f3691ef743ac4cccb

SHA1
401c7f6b4272de0bb544c51041f6e375275f4a56

SHA256
4748f1df0fbbe9ab86bd62d0bea76b83653fe4f930e8e1ccf4067970570fdb5d

SHA512
552263931475678136bd8583590b97361215b148d3e1a48877c683a7200854af91934969c1e55eaa2e5d4e8e0ca3a79916a895e897de8ffbc829ade056495982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
47dead320524075f9359f44eccd92966

SHA1
0ff98b3eebcfa9438dffb2d95308b30d738a98a1

SHA256
0ac8df92d1b90c999f3457c3b2e2a8a44ba18462309e04ef62d0369c064e5067

SHA512
028d967ae5751bba0168d1dfa2badebe41220f362d2cfae7ed711295e2222095c90b694d43abe06bd619b7ec757fc84186dc36a428228b7319fb37bf2b4f26d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{26E973B6-B0F9-420D-A04A-C9DF1052C4B8}.FSD

Filesize
128KB

MD5
f8359b043fbd25518489f5241d2adb5c

SHA1
8ce740627a54af325aa4355cd30f500973fa9599

SHA256
1f152af12f221f845553394bb83f560e1a9e38679110dadbab7621a16e160736

SHA512
c6856a4d0ff93213c23572c1dd08f0e8c78d7cabf5573c832a660d55f56ee67b81fd465dab65bb303c37106f7f453f5d8542fdf0738eb90061d75dcc5b5e05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7c015365975cb387d23d8fc140fc72d4

SHA1
76c644f7b76eb58ab8996e169ebf63d84f095a36

SHA256
82af6dd588f9986a48579fbde9e50126120ccfe38e0b01e535c2089614e3a545

SHA512
dc2ecf90dbdfba00ea3ccb1ffe9101f8748fd72ee933b92fc9b11f72c5eb5965bfcdf482bc15ff8cae25814d2a6a9b4abb99ae34ebb2ee6b56039362eaa74d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
9b0149e84f18d73a17d0cfb5b7f61a78

SHA1
cbb64698b46d2a649d4c541fb74948d683f260cb

SHA256
0dd12699366be66081bdb933c05fcec39db7e40165574e751b4a3c7944d2caf3

SHA512
891f2e309a6a30cfd3a8410f3a771f2d9c056e31fa3f1d743d520737189dee905255b47e642af8cb669d39873608933044d477beba76bf2a0000b98241b8a54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A0BC0589-21CF-4CB7-95C0-8A3DB0D19B8A}.FSD

Filesize
128KB

MD5
1d59a73cb33a29e0630dd3486c5b13a3

SHA1
531571c9d4f87da30876d153ef3322512aae371c

SHA256
a14dab8a07692ac4eca2922255bd3ff8f333c0a795fa3fbb4f8ed7d62dacf128

SHA512
537550923f6c69ab8e404166de98430628e3400124144cfdaf966b3ce57036bdb4bd28b09eadde2516eca41f0a2dfc2d2128ec8d9c62a197c06fde54b828fc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CRLT0X6V\beautifulroseflowerwanttogetinhandbecauseitsgreatthingshandbeautiuflthingshappenedtogetback___beautiuflflowers[1].doc

Filesize
63KB

MD5
7a7b11bbe3d337c74805c519c22601c0

SHA1
4b680f33a5d1f26934429bb7dff11b8b3f6ea0f8

SHA256
3f6bd3440b27d64b41ff2902d7b35c1105b7dc026e834755a1b44f63b5da965e

SHA512
c637d681ff8f7e00c74291bf38835ada5d4c074d62f9d5a12ceed7b4ec540f21e05dc89469664af08d7a68040e5d0646e1f13669ddec965812ce9eeb78975302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A83.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73C9.tmp

Filesize
1KB

MD5
88c6e6652e7f62dda485370e18286feb

SHA1
7243f2d6dc3e34de5472194aec2f204a21cbd5a7

SHA256
63297d9cdfcb635a063180738de6a76f109d2642c3b0ebcfbbf2f19cfee8c2aa

SHA512
cf989ddd0fe6a132b77ce782e57ef79e16f1f67190ccce99ef4b27091782c26f21f58167954154edb5a862e4c9eae20d69b352f5d44c59ff7c09c803a75b3883

Download Submit
C:\Users\Admin\AppData\Local\Temp\{62D9BEB5-748B-43A7-B081-19A48AFBF4A6}

Filesize
128KB

MD5
1880dbbf3457574e0ab804d498a3a6bf

SHA1
cec1a37f5f5c438dcb789d677e1fbecd95c25160

SHA256
0ff52095ad19cab0dd6e6e16d1077bf39310a0bb45084a53d06de263afad4fac

SHA512
635d3effd775864725368d5ade7f96cdf1b6390265ccd4f02f9cd2fbd90d55d9035fe4a4a6eb63bbf5d4be5d7c7deed29cfe2baec4e15b816473e4cab26d6f90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P6425I4P.txt

Filesize
67B

MD5
48d2cf99425b06e8f8e5819c26f0c85a

SHA1
2c589af226ee6c5447a2d89bf0eb4f71df3bdcba

SHA256
01088363cef4095f0cb3a7b48b5d6b52406e470f3029146a236fe0da7486a420

SHA512
950577c6e1c3333d142ef3274c93f854728bdb1092e422915ad6f6cc8f0c778ae1ae1fcc7aca7332ab4208550ce6787134fde624a80872ff47c62259b5cffafd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MMAKJ7F5IKAURNG5MUM7.temp

Filesize
7KB

MD5
9b287486d21e4df4d11c89d84a6bd305

SHA1
f32c25cf3a959a21a591bc715aa9ec08a83623eb

SHA256
d7eb3ebe649fe0474ba0f328b76e021f0958457de9883185aab60ba59595ff79

SHA512
00bfb92183b0a37cdb09a23ceed0661be3a8daf8ded6d7c51f560b4ce9de609d1b5b0019cd97db5ab3654dfa88edab8f32741cbef9692954243a8c7a85f034ce

Download Submit
C:\Users\Admin\AppData\Roaming\vnc.exe

Filesize
978KB

MD5
1299c227f71353022f7ed366f9efb219

SHA1
b8437949812bd190d66b656cdf99625243e0740f

SHA256
b2ae69e681c120901c4f5f839125d81b53eabd3f22c0a50547604c15d43a33f3

SHA512
0e5276521830eab912247cead3adb5465cd2ad9fdb784999f189c8c854c541f6a671a3bfdce7880fd6c7b4e232c22cb57cfb288a3c71957ee858f1c354c5e26d

Download Submit
memory/572-153-0x0000000005540000-0x0000000005600000-memory.dmp

Filesize
768KB

Download
memory/572-147-0x0000000000340000-0x000000000043A000-memory.dmp

Filesize
1000KB

Download
memory/572-149-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/572-151-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/572-152-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2004-150-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/2004-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2004-43-0x0000000002000000-0x0000000002002000-memory.dmp

Filesize
8KB

Download
memory/2004-1-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/2460-40-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/2460-38-0x000000002F8B1000-0x000000002F8B2000-memory.dmp

Filesize
4KB

Download
memory/2460-42-0x00000000036D0000-0x00000000036D2000-memory.dmp

Filesize
8KB

Download
memory/2460-171-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download