Analysis Overview
SHA256
378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648
Threat Level: Known bad
The file 378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648 was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Venomrat family
AsyncRat
VenomRAT
Async RAT payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 15:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 15:09
Reported
2024-11-29 15:12
Platform
win7-20241010-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Public\Documents\lPix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp | N/A |
| N/A | N/A | C:\Users\Public\Documents\lPix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp | N/A |
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Documents\lPix.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Documents\lPix.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
"C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp" /SL5="$4010A,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\timeout.exe
timeout /T 3
C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
"C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp" /SL5="$601F8,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls
C:\Users\Public\Documents\lPix.exe
C:\Users\Public\Documents\lPix.exe
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp" /SL5="$401F4,544961,235520,C:\Users\Public\Documents\lPix.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\timeout.exe
timeout /T 3
C:\Users\Public\Documents\lPix.exe
"C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp" /SL5="$501EA,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
C:\Windows\system32\regsvr32.exe
/s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
Network
Files
memory/2932-0-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2932-2-0x0000000000401000-0x0000000000417000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
| MD5 | cf45d17c6928f460e9c66d8efd61d15f |
| SHA1 | 04f45e51c5ee587ac54084e051837cc4688f3fea |
| SHA256 | a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b |
| SHA512 | 178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596 |
memory/2152-8-0x0000000000400000-0x000000000053F000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-G7DHN.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2704-15-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2704-39-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2152-41-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2932-43-0x0000000000400000-0x0000000000444000-memory.dmp
\Users\Public\Documents\lPix.exe
| MD5 | 8cb4b8edf79a9edaf533920c9a4d2757 |
| SHA1 | 8d5b6701db176148d9bbe8cc97338798c518201c |
| SHA256 | c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2 |
| SHA512 | 82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0 |
memory/2940-38-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2560-54-0x0000000000400000-0x0000000000444000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
| MD5 | bef5bad133138ce27f0c6e73d5a2e5f9 |
| SHA1 | 1cfc9e170e100fc23073cdfcf590594e18598314 |
| SHA256 | 55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65 |
| SHA512 | f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d |
memory/2200-67-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Public\Documents\LDcA.xls
| MD5 | d1ff725260128c439f9bce6f7a26f5ec |
| SHA1 | a22f5c06fd34b59daa1475789f659e324368a76f |
| SHA256 | dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d |
| SHA512 | 41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c |
memory/1664-83-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\unins000.exe
| MD5 | 7d32e1d324403f5baf3443502f6732b9 |
| SHA1 | 583a56865861c01413abda1daa132b577920504c |
| SHA256 | 4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313 |
| SHA512 | 8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b |
C:\Users\Admin\AppData\Local\unins000.dat
| MD5 | 10e5e58b0f68862da3980e123de613bc |
| SHA1 | a44c201768dfb80765ebea4b560b9340c215a2bc |
| SHA256 | 16dcede65eaa9afbfdc0920fbd748d2871133b36ed6aa17865c8167d3d89a293 |
| SHA512 | 257f53b15d42f17371b5b227e5705bd583dd0e3857d1aded95e95fa6a32250fc3782cc1c8636521bcfcc6fccfa0605f030d5109a8df2d9c9849330c357261b34 |
C:\Users\Admin\AppData\Local\unins000.exe
| MD5 | 957a6b79d0a55eb26e806e520a56027c |
| SHA1 | 4de71cf351276a32f03900ded66a1d0217ab10b1 |
| SHA256 | 55d7374f4731aaa60d7930ecf5348b08f48f3cbb372a1805609d41ff21e89297 |
| SHA512 | d5e295c47e93e18f272f99b2960f2b476ef261a2a7c65635a2c4d74798d4f0409a970ad0039b6258f9addf9d39b2b7e8b5ecb129ca4e2bd123402ad2ddb5cc34 |
memory/1664-110-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1076-109-0x0000000000400000-0x000000000053F000-memory.dmp
memory/1964-111-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2560-113-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
| MD5 | 385e36fd28d88b4fe7051de59bcd616c |
| SHA1 | 0c6bac3bda42f8dedfba7559d092da5baaac81b4 |
| SHA256 | f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0 |
| SHA512 | 5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 15:09
Reported
2024-11-29 15:12
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
AsyncRat
Asyncrat family
VenomRAT
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Venomrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Public\Documents\lPix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp | N/A |
| N/A | N/A | C:\Users\Public\Documents\lPix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.EXE | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.EXE | N/A |
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Documents\lPix.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Documents\lPix.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp
"C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp" /SL5="$602B6,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\timeout.exe
timeout /T 3
C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp
"C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp" /SL5="$40112,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls
C:\Users\Public\Documents\lPix.exe
C:\Users\Public\Documents\lPix.exe
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\Documents\LDcA.xls"
C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp" /SL5="$802B6,544961,235520,C:\Users\Public\Documents\lPix.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\timeout.exe
timeout /T 3
C:\Users\Public\Documents\lPix.exe
"C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp" /SL5="$401FE,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
C:\Windows\system32\regsvr32.exe
/s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll' }) { exit 0 } else { exit 1 }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{EFF11FCA-251C-49D8-9A47-AB5692BD08FD}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
C:\Windows\system32\regsvr32.exe
"regsvr32" /i:INSTALL /s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| HK | 27.124.46.187:7415 | tcp | |
| US | 8.8.8.8:53 | 187.46.124.27.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1652-2-0x0000000000401000-0x0000000000417000-memory.dmp
memory/1652-0-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp
| MD5 | cf45d17c6928f460e9c66d8efd61d15f |
| SHA1 | 04f45e51c5ee587ac54084e051837cc4688f3fea |
| SHA256 | a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b |
| SHA512 | 178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596 |
memory/5044-7-0x0000000000400000-0x000000000053F000-memory.dmp
memory/3296-14-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3296-12-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BQ5QU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1576-32-0x0000000000400000-0x000000000053F000-memory.dmp
memory/3296-34-0x0000000000400000-0x0000000000444000-memory.dmp
memory/5044-37-0x0000000000400000-0x000000000053F000-memory.dmp
C:\Users\Public\Documents\lPix.exe
| MD5 | 8cb4b8edf79a9edaf533920c9a4d2757 |
| SHA1 | 8d5b6701db176148d9bbe8cc97338798c518201c |
| SHA256 | c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2 |
| SHA512 | 82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0 |
memory/2184-42-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1652-41-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Users\Public\Documents\LDcA.xls
| MD5 | d1ff725260128c439f9bce6f7a26f5ec |
| SHA1 | a22f5c06fd34b59daa1475789f659e324368a76f |
| SHA256 | dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d |
| SHA512 | 41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c |
C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp
| MD5 | bef5bad133138ce27f0c6e73d5a2e5f9 |
| SHA1 | 1cfc9e170e100fc23073cdfcf590594e18598314 |
| SHA256 | 55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65 |
| SHA512 | f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d |
memory/1056-48-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp
memory/1056-47-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp
memory/1056-46-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp
memory/1056-49-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp
memory/1056-50-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp
memory/1056-58-0x00007FF950B50000-0x00007FF950B60000-memory.dmp
memory/1056-59-0x00007FF950B50000-0x00007FF950B60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 7b3019794f46e10207df78cec074ba84 |
| SHA1 | 37f7f1155da5707f25499c7d4d76c91145ed46a3 |
| SHA256 | b1ff13890a938534620e0a0bdd61ce9472ddebb9d2f50066ebf3751b98d5e9c1 |
| SHA512 | bd76b729281187d65d1208dfb6ec719d5a663e5996c5ebd6d985fb21dc3137561e22ede0a3af2d932be813d58de371e68446a612da8b5c548d6a111e4bf845a1 |
memory/2820-79-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\unins000.dat
| MD5 | 5eadc1f79f4f377ac3d2160bdb304f80 |
| SHA1 | 728d27a2dc8d38634216d06bd59e7315cefd3037 |
| SHA256 | 27cbe0caa71624bfb472402b7da15cd6fa876aaa517dd6bedf4cc80bba138a0a |
| SHA512 | 7b090395faf391d551b79918753bf6c7b39522dac143c18a5cc56aa061b68dfd153b9490b9645f440e61d7280a379f6618600342f69dfbf5fc1f914881f87756 |
C:\Users\Admin\AppData\Local\unins000.exe
| MD5 | 7d32e1d324403f5baf3443502f6732b9 |
| SHA1 | 583a56865861c01413abda1daa132b577920504c |
| SHA256 | 4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313 |
| SHA512 | 8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b |
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
| MD5 | 385e36fd28d88b4fe7051de59bcd616c |
| SHA1 | 0c6bac3bda42f8dedfba7559d092da5baaac81b4 |
| SHA256 | f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0 |
| SHA512 | 5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f |
memory/3972-100-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2820-102-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1964-103-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2184-104-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2312-110-0x0000027C5A2A0000-0x0000027C5A2C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_preup1pg.dfd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b83052d233778f3041cbe528da041ba |
| SHA1 | 06a90380d32a7671e40af152f9d7f760012f95b9 |
| SHA256 | 1b8b2000241fefe3e07d0b47e9ffb20a797bc91ae7bb298d0dc509f8f8785654 |
| SHA512 | d524cd16f51d7e0c64f38347e2916fdc3ebad834d77a2de8627211980105fc0bf68afc3b81d48f456f8f64876132909c4e38d998cc7bfed05250689f8b0685af |
memory/4372-134-0x0000000002CA0000-0x0000000002CB2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 3599f10e9bf06bf22909d060cec58b4e |
| SHA1 | cf29fc283d1b9983809b2b5bd235c70425b46b59 |
| SHA256 | 39fdeaba350fa7db11fcc331045b2a7c2590ebb2c92e44476b612ec15d30ee03 |
| SHA512 | e37b5d254a757f90598d83b8b7ca518efa7f4c404e25278745e39c2bb68926e5709592a6eb9bf829042bf4acfaea2789e99125d69376e398aa11c58f24c9f6be |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 0170f9d1ae30b86da109b1cf5677b240 |
| SHA1 | 920fbb8dd889b5fa11bcc6da54a19ff5ff684afc |
| SHA256 | b453070c92b022034d16fed311e704ed415d30fe737aba70df3f428d33b55574 |
| SHA512 | d93ad956e04709868dc58c786ce2c3919f27ae0bc512a2116b10eded79ebd2ee4e62bd84c95d053308a65b37d01ef824922d9d7691fe97cfdd1029ab5a9c3ac8 |
memory/4372-154-0x00007FF96D930000-0x00007FF96D9CD000-memory.dmp