Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d.xlam
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d.xlam
Resource
win10v2004-20240611-en
General
-
Target
e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d.xlam
-
Size
726KB
-
MD5
e38bcfcd4aef15bb987399f787557582
-
SHA1
d49c20bed98eabc5df26e5309572e2b946ca2189
-
SHA256
e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d
-
SHA512
9471ba49d1a29c8c339fe720d99b2742d90fce7840f7de34c35a3c31d6626c4652a2e62318abf7f242a90aab51bda0cf80c63c092db7f3c48c3d6aa0446de7a6
-
SSDEEP
12288:/knWybbQuN3IQIRHksCPbuNlK4fS212xQao9bkoJhPY2hR8EMgYJ9Axtat9fJluP:cJbj4X1GPbubK43gyd9bk6XRbHk9vBJy
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-21-0x0000000000850000-0x00000000008A4000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-22-0x0000000000A70000-0x0000000000AC2000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-23-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-24-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-26-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-28-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-30-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-32-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-34-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-36-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-38-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-40-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-42-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-44-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-46-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-48-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-50-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-52-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-54-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-56-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-58-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-60-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-62-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-64-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-66-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-68-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-70-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-72-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-74-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-76-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-78-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-80-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2208-82-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-21-0x0000000000850000-0x00000000008A4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-22-0x0000000000A70000-0x0000000000AC2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-23-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-24-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-26-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-28-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-30-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-32-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-34-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-36-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-38-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-40-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-42-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-44-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-46-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-48-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-50-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-52-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-54-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-56-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-58-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-60-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-62-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-64-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-66-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-68-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-70-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-72-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-74-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-76-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-78-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-80-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2208-82-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-21-0x0000000000850000-0x00000000008A4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-22-0x0000000000A70000-0x0000000000AC2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-23-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-24-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-26-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-28-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-30-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-32-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-34-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-36-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-38-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-40-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-42-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-44-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-46-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-48-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-50-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-52-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-54-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-56-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-58-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-60-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-62-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-64-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-66-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-68-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-70-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-72-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-74-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-76-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-78-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-80-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2208-82-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-21-0x0000000000850000-0x00000000008A4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-22-0x0000000000A70000-0x0000000000AC2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-23-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-24-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-26-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-28-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-30-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-32-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-34-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-36-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-38-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-40-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-42-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-44-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-46-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-48-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-50-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-52-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-54-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-56-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-58-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-60-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-62-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-64-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-66-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-68-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-70-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-72-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-74-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-76-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-78-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-80-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2208-82-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-21-0x0000000000850000-0x00000000008A4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-22-0x0000000000A70000-0x0000000000AC2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-23-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-24-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-26-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-28-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-30-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-32-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-34-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-36-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-38-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-40-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-42-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-44-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-46-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-48-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-50-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-52-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-54-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-56-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-58-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-60-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-62-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-64-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-66-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-68-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-70-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-72-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-74-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-76-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-78-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-80-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2208-82-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-21-0x0000000000850000-0x00000000008A4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-22-0x0000000000A70000-0x0000000000AC2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-23-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-24-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-26-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-28-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-30-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-32-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-34-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-36-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-38-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-40-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-42-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-44-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-46-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-48-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-50-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-52-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-54-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-56-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-58-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-60-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-62-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-64-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-66-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-68-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-70-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-72-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-74-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-76-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-78-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-80-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2208-82-0x0000000000A70000-0x0000000000ABD000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2996 EQNEDT32.EXE 5 2996 EQNEDT32.EXE 6 2996 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
KJH.exepid process 2528 KJH.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2996 EQNEDT32.EXE -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\KJH.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KJH.exedescription pid process target process PID 2528 set thread context of 2208 2528 KJH.exe RegSvcs.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1632 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2208 RegSvcs.exe 2208 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
KJH.exepid process 2528 KJH.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2208 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
KJH.exepid process 2528 KJH.exe 2528 KJH.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
KJH.exepid process 2528 KJH.exe 2528 KJH.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1632 EXCEL.EXE 1632 EXCEL.EXE 1632 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEKJH.exedescription pid process target process PID 2996 wrote to memory of 2528 2996 EQNEDT32.EXE KJH.exe PID 2996 wrote to memory of 2528 2996 EQNEDT32.EXE KJH.exe PID 2996 wrote to memory of 2528 2996 EQNEDT32.EXE KJH.exe PID 2996 wrote to memory of 2528 2996 EQNEDT32.EXE KJH.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe PID 2528 wrote to memory of 2208 2528 KJH.exe RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e6ecf390542c44da68e56315d0aa3924239c5798fdc58bf7955b0e6b6613787d.xlam1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1632
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Roaming\KJH.exe"C:\Users\Admin\AppData\Roaming\KJH.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\KJH.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5714dfae63f102e6cf01921b5f687e324
SHA1eb4e96d05ed4fa9607c6311e6db723678d15c3bf
SHA256080ccc20d803e443569ebaa56ea94a3522ac6fb2fb9406df681d4e5990363970
SHA51215eb155a113fe8782e5eb819df96478f2f3a5856b30708709832f2661eba91f483fa55064b3190701e1d17e570f7273519c39922bfc782365fa63caf3daaa766