f9025af4f74ca022d9f8babc10de3985626d0212eeca79558cd04a0a3ac1583e

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_4d9785d74894d5e3058a0164add366c6_mafia.exe
Size

2.3MB
MD5

4d9785d74894d5e3058a0164add366c6
SHA1

216e6c668b2c94d946e0f31fa4b50888fdd2aab5
SHA256

f9025af4f74ca022d9f8babc10de3985626d0212eeca79558cd04a0a3ac1583e
SHA512

9f624dd70cc0c3928a9580cec3b8f7afa16242fbd1dad2e402e564cfb375e070a9ae454f5d572f810614a44c35cf763b086b4f64ff1bc38a67b3d92d5c15343a
SSDEEP

49152:jZRpZ8sSugiOHKq2SDNNgaciS0O3BZrLsPZQn90IYPqItmL:xZ8/u5q2SvgiK3BZ/sBQn90IpI

Score

9^/10

macro

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3040-82-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-80-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-78-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-77-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-75-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-74-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-73-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-72-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-71-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-76-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-222-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-227-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-225-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-226-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-224-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-223-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-221-0x0000000076760000-0x0000000076975000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\SpreadsheetTools\lxLdr.xlam

Loads dropped DLL 1 IoCs

Processes:

EXCEL.EXE

pid process

3040 EXCEL.EXE

pid	process
3040	EXCEL.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE2024-05-23_4d9785d74894d5e3058a0164add366c6_mafia.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-05-23_4d9785d74894d5e3058a0164add366c6_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	2024-05-23_4d9785d74894d5e3058a0164add366c6_mafia.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3040 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EXCEL.EXE

pid process

3040 EXCEL.EXE
3040 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

3040 EXCEL.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

3040 EXCEL.EXE
3040 EXCEL.EXE
3040 EXCEL.EXE
3040 EXCEL.EXE

pid	process
3040	EXCEL.EXE

pid	process
3040	EXCEL.EXE
3040	EXCEL.EXE

pid	process
3040	EXCEL.EXE

pid	process
3040	EXCEL.EXE
3040	EXCEL.EXE
3040	EXCEL.EXE
3040	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 3040 wrote to memory of 2176	3040	EXCEL.EXE	splwow64.exe
PID 3040 wrote to memory of 2176	3040	EXCEL.EXE	splwow64.exe
PID 3040 wrote to memory of 2176	3040	EXCEL.EXE	splwow64.exe
PID 3040 wrote to memory of 2176	3040	EXCEL.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_4d9785d74894d5e3058a0164add366c6_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_4d9785d74894d5e3058a0164add366c6_mafia.exe"
1⤵
- Checks processor information in registry
PID:1616

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2176

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SpreadsheetTools\32\LockXLSRuntime.dll
Filesize
1.4MB

MD5
9f4540c1227111a9f1466cb8e9f44977

SHA1
d8d0533884b02330a7c24e2217705d02242216d5

SHA256
7eeae01c7b5e5927436e3fdab844d185e8bdf30cf33df595bdf55bbd86708caa

SHA512
01348a05fbc97b4a85d498a7de36a52764b50025be6fa3b83c1806eedcc049ab9febfcb5a611846e762b34689fd154c491e1ea52406012885c47e2b78d096863

Download Submit
C:\Users\Admin\AppData\Local\SpreadsheetTools\empty.xls
Filesize
22KB

MD5
aa69f1319324842244d3d791ce72f5dd

SHA1
755fa34ab86ae4773ff0f90c323f8dc1d3027204

SHA256
a62332996685932ac6180553729d443a2fcf321dacfa83dc19e1a488cfeabdb3

SHA512
125c0b15e972e8b6665c57814a8db6c23c9c0f41f36075c27a6c8239275139ffd22e76950d0cd54ed3b29d919300c8cb43253531c3ac5acfb7b792ce085e1d0a

Download Submit
C:\Users\Admin\AppData\Local\SpreadsheetTools\lxLdr.xlam
Filesize
26KB

MD5
68ae3f8f60641e3b6e40c907e9f01daa

SHA1
204d0f28e2970af8a6727198b88edbfdd19d5c51

SHA256
759024e88c6e0063004bb09392922af4010aec87dc7c8377451c87ab13a68bf0

SHA512
443d53552354407df61d688223381bfc31f61c6b2bf9618f38e18f74490e8f98ad0dbb3128990c58b4f3094790908b84eb63e62070c337385c20c8a8699bcbcf

Download Submit
memory/3040-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3040-9-0x000000007212D000-0x0000000072138000-memory.dmp

Filesize
44KB

Download
memory/3040-56-0x000000006C790000-0x000000006CA1D000-memory.dmp

Filesize
2.6MB

Download
memory/3040-70-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-82-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-80-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-78-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-77-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-75-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-74-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-154-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-132-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-131-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-73-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-72-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-71-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-69-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-68-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-67-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-66-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-65-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-64-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-63-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-62-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-61-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-60-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-59-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-58-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-191-0x000000006C250000-0x000000006C383000-memory.dmp

Filesize
1.2MB

Download
memory/3040-190-0x000000006C250000-0x000000006C383000-memory.dmp

Filesize
1.2MB

Download
memory/3040-189-0x000000006C250000-0x000000006C383000-memory.dmp

Filesize
1.2MB

Download
memory/3040-188-0x000000006C250000-0x000000006C383000-memory.dmp

Filesize
1.2MB

Download
memory/3040-76-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-54-0x000000006C790000-0x000000006CA1D000-memory.dmp

Filesize
2.6MB

Download
memory/3040-55-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-53-0x000000006C390000-0x000000006C4FC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-52-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-51-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-50-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-48-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-57-0x000000006C790000-0x000000006CA1D000-memory.dmp

Filesize
2.6MB

Download
memory/3040-196-0x000000007212D000-0x0000000072138000-memory.dmp

Filesize
44KB

Download
memory/3040-197-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-198-0x0000000005770000-0x0000000005870000-memory.dmp

Filesize
1024KB

Download
memory/3040-201-0x00000000747E0000-0x0000000074805000-memory.dmp

Filesize
148KB

Download
memory/3040-203-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3040-202-0x00000000747E0000-0x0000000074805000-memory.dmp

Filesize
148KB

Download
memory/3040-204-0x0000000073E30000-0x0000000073E43000-memory.dmp

Filesize
76KB

Download
memory/3040-210-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-222-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-227-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-225-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-238-0x000000007212D000-0x0000000072138000-memory.dmp

Filesize
44KB

Download
memory/3040-226-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-224-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-223-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-221-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/3040-220-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-219-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-218-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-217-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-216-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-215-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-214-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-213-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-212-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-211-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-209-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-208-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-207-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-206-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download
memory/3040-205-0x0000000076280000-0x00000000763DC000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads