Threat Analysis Report: Hash Values File Details Environment

McAfee Advanced Threat Defense
| Threat Analysis Report
File Name 62665.xls Threat Level ⬤ 5 - Very High
Malware Name TYPE_TROJAN Engine GTI File Reputation
File Submitted 2021-04-19 03:46:03 UTC Processing Time 46 seconds
File Size 118,784 bytes Sandbox Replication 38 seconds
Show More Hash Values File Details Environment
MD5 Hash Identifier F23ACD80B83B3BC1EA1503E94E1831F8
SHA-1 Hash Identifier B7FA3A434710EA5B4AC48A3B46D0339EFC84542B
SHA-256 Hash
5DE6C7BA93850C642099DB3239AAE491BD93BC2DBDFD4FECFDD64E5D9A9D4685
Identifier
Screenshots 2
Hide hash values
File Type Composite Document File V2 Document, Microsoft Office Application
Hide file details
Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit
Windows® Internet Explorer version: 8.0.7601.17514
Microsoft Office version: 2007
PDF Reader version: 11.0
No Flash player installed
Flash player plugin version: 22.0.0.209
Platform Version 4.12.0.7
Detection Package Version 4.12.0.201112
Hide environment
Behavior Classification
Behavior Severity
Exploiting, Shellcode ⬤ 3 - Medium
Detected executable files embedded in or dropped by the sample ⬤ 3 - Medium
Detected scripting content embedded in the sample ⬤ 2 - Low
⬤ 1-
Offile file contains VBA code
Informational
Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 2 - Low
Attempted to execute service ⬤ 2 - Low
⬤ 1-
Spawned Rundll32 Process
Informational
⬤ 1-
Retrieves a NetBIOS or DNS name associated with the local computer
Informational
⬤ 1-
Informational
⬤ 1-
Changed the protection attribute of the process
Informational
Networking ⬤ 2 - Low
Queried for system network configuration information ⬤ 2 - Low
Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that

⬤ 2 - Low
WinInet attempts to resolve and connect to a host
Downloaded data from a webserver ⬤ 2 - Low
Connected to a specific service provider ⬤ 2 - Low
Altered Web Proxy Auto-Discovery Protocol (WPAD) for rerouting of the

⬤ 2 - Low
network traffic
⬤ 1-
Retrieved the name of the network resource associated with a local device
Informational
⬤ 1-
Informational
Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 2 - Low
Set hook procedure to control system activities ⬤ 2 - Low
⬤ 1-
Informational
⬤ 1-
Contained long sleep
Informational
Persistence, Installation Boot Survival ⬤ 1 - Informational
⬤ 1-
Informational
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 1 - Informational
Retrieved system information such as Processor Architecture,Number ⬤ 1-

Processors,Processor Type Informational
⬤ 1-
Informational
⬤ 1-
Obtained user's logon name
Informational
⬤ 1-
Contained long sleep
Informational
Spreading ⬤ 1 - Informational
⬤ 1-
Informational
GTI Web/URL Reputation
Connected Sites: 2
URL Port Reputation Category Name Risk Group Functional Group
207.154.235.218 80 High Risk Malicious Sites Security Risk/Fraud/Crime
WIN-AUPGCV3CTSS 80 Unknown Risk --- --- ---
Processes Analyzed
Name Reason Severity
62665.xls dropped by 62665.xls & loaded by MATD Analyzer ⬤ 3 - Medium
287.dll dropped by 62665.xls ⬤ Unverified
certutil.exe executed by excel ⬤ 1 - Informational
rundll32.exe executed by excel ⬤ 2 - Low
Timeline Activity
Processes Files Registry Operations Network Operations Multiple Operations
Select Any Area to Zoom In
62665.xls
287.dll
certutil.exe
rundll32.exe
0 3 6 9 12 15 18 21
Offset in seconds
Jump to Timeline Details
Techniques Observed (MITRE ATT&CK™ Matrix)
Technique Tactics
User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
This may be direct code execution, such as when a user opens a malicious executable
delivered via Spearphishing Attachment with the icon and apparent extension of a
document file. It also may lead to other execution techniques, such as when a user
clicks on a link delivered via Spearphishing Link that leads to exploitation of a
browser or application vulnerability via Exploitation for Client Execution. While
User Execution frequently occurs shortly after Initial Access it may occur at other
phases of an intrusion, such as when an adversary places a file in a shared directory
or on a user's desktop hoping that a user will click on it.
Offile file contains VBA code ⬤ 1 - Very Low
Service Execution Execution
Adversaries may execute a binary, command, or script via a method that interacts with
Windows services, such as the Service Control Manager. This can be done by either
creating a new service or modifying an existing service. This technique is the
execution used in conjunction with New Service and Modify Existing Service during
service persistence or privilege escalation.
Attempted to execute service ⬤ 2 - Low
Scripting Execution, Defense Evasion
Adversaries may use scripts to aid in operations and perform multiple actions that
would otherwise be manual. Scripting is useful for speeding up operational tasks and
reducing the time required to gain access to critical resources. Some scripting
languages may be used to bypass process monitoring mechanisms by directly interacting
with the operating system at an API level instead of calling other programs. Common
scripting languages for Windows include VBScript and PowerShell but could also be in
the form of command-line batch scripts.
Detected executable files embedded in or dropped

⬤ 3 - Medium
by the sample
Detected scripting content embedded in the sample ⬤ 2 - Low
Rundll32 Execution, Defense Evasion
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries

may take advantage of this functionality to proxy execution of code to avoid
triggering security tools that may not monitor execution of the rundll32.exe process
because of whitelists or false positives from Windows using rundll32.exe for normal
operations.
Spawned Rundll32 Process ⬤ 1 - Very Low
Hooking Persistence, Privilege Escalation, Credential Access
Windows processes often leverage application programming interface (API) functions to

perform tasks that require reusable system resources. Windows API functions are
typically stored in dynamic-link libraries (DLLs) as exported functions.
Set hook procedure to control system activities ⬤ 2 - Low
Network Share Discovery Discovery
Networks often contain shared network drives and folders that enable users to access
file directories on various systems across a network.
Retrieved the name of the network resource

⬤ 1 - Very Low
associated with a local device
System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and
hardware, including version, patches, hotfixes, service packs, and architecture.
Retrieves a NetBIOS or DNS name associated with

⬤ 1 - Very Low
the local computer
Retrieved system information such as Processor

⬤ 1 - Very Low
Architecture,Number Processors,Processor Type
Obtained user's logon name ⬤ 1 - Very Low
System Network Configuration Discovery Discovery
Adversaries will likely look for details about the network configuration and settings
of systems they access or through information discovery of remote systems. Several
operating system administration utilities exist that can be used to gather this
information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Queried for system network configuration

⬤ 2 - Low
information
Remote File Copy Lateral Movement, Command and Control
Files may be copied from one system to another to stage adversary tools or other
files over the course of an operation. Files may be copied from an external
adversary-controlled system through the Command and Control channel to bring tools
into the victim network or through alternate protocols with another tool such as FTP.
Files can also be copied over on Mac and Linux with native tools like scp, rsync, and
sftp.
Standard Application Layer Protocol Command and Control

Adversaries may communicate using a common, standardized application layer protocol
such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing
traffic. Commands to the remote system, and often the results of those commands, will
be embedded within the protocol traffic between the client and server.
Downloaded data from a webserver ⬤ 2 - Low
Commonly Used Port Command and Control
Adversaries may communicate over a commonly used port to bypass firewalls or network
detection systems and to blend with normal network activity to avoid more detailed
inspection.
Timeline Activity Details
Time Offset Event Details
Process Operations,
00:00:000 )"54515
miscellaneous
Process Operations, Obtained the contents of the specified variable from the environment block of the
00:00:485
miscellaneous calling process
File Operations,
00:00:500 Obtained the path of the Windows system directory
miscellaneous
00:00:500 Registry Opened HKLM\Software\Microsoft\Windows\CurrentVersion
File Operations,
00:00:500 Retrieved the full path for the module
miscellaneous
Process Operations, Changed the protection attribute of process address: 0x2f8630dc, new attribute:
00:00:500
miscellaneous Execute_ReadWrite
Process Operations, Changed the protection attribute of process address: 0x2f8630dc, new attribute:
00:00:500
miscellaneous Execute_Read
HKLM\Software\Microsoft\Windows\CurrentVersion
00:00:500 Registry Read
CommonFilesDir
Process Operations, Retrieved information on a specific string in the current activation context
00:00:500
miscellaneous
00:00:500 Others Initialized a critical section object and set the spin count for the critical section
00:00:531 Registry Opened HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf
00:00:578 Others Obtained the system metric or system configuration setting
Process Operations, Deactivated the activation context corresponding to the specified cookie
00:00:578
miscellaneous
Process Operations, Queried the activation context

00:00:578
miscellaneous
2f7e368f
00:00:641 Thread Created
00:00:641 Others Recorded system information
00:00:641 Registry Opened HKCU\Software\Microsoft\Office\12.0\Excel
HKCU\Software\Microsoft\Office\12.0\Excel
DisableThreadAffinity
{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}
00:00:656 Process Created
Process Operations,
00:00:672 Obtained the identifier of the thread or process that created the specified window
miscellaneous
00:00:703 Registry Opened HKCU\Software\Microsoft\.NETFramework
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config

Read
00:00:766 Files Opened
Normal
HKLM\Software\Microsoft\.NETFramework
UseLegacyV2RuntimeActivationPolicyDefaultValue
OnlyUseLatestCLR
InstallRoot
File Operations,
00:00:766 Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous
00:00:766 Registry Opened HKLM\Software\Microsoft\.NETFramework
File Operations,
00:00:766 Obtained a set of FAT file system attributes for a file or directory
miscellaneous
C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll
20000
10000000
C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll
20000
10000000
20000
10000000
20000
10000000
20000
10000000
20000
10000000
20000
10000000
00:00:766 Files Read C:\Windows\Microsoft.NET\Framework\
00:00:781 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\Fusion
NoClientChecks
Registry Operations, Enumerated the values for an open registry key

00:00:781
miscellaneous
00:00:781 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
00:00:781 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

00:00:828 Others Retrieved the current local date and time
Process Operations,
00:01:093 Install a new hook procedure (type: WH_MSGFILTER)
miscellaneous
Process Operations,
00:01:093 Install a new hook procedure (type: WH_KEYBOARD)
miscellaneous
Process Operations,
00:01:110 Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous
{FA445657-9379-11D6-B41A-00065B83EE53}
File Operations,
00:01:172 Obtained the current directory for the current process
miscellaneous
File Operations, Searched a directory for the name:

00:01:187
miscellaneous C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*
File Operations, Searched a directory for the name: C:\Program Files (x86)\Microsoft
00:01:187
miscellaneous Office\Office12\xlstart\*.*
File Operations, Searched a directory for the name: C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-

00:01:391
miscellaneous d357098c474a.xls
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
00:01:422 Files Read C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-d357098c474a.xls
00:01:500 Socket Activities Retrieved the name of the network resource associated with a local device
Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:01:516 Others
format
File Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or
00:01:547
miscellaneous network drive
{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
{88D969EF-F192-11D4-A65F-0040963251E5}
HKLM\Software\Microsoft\VBA
Vbe6DllPath
00:01:797 Registry Opened HKLM\Software\Microsoft\VBA
00:01:812 Others Retrieved information about a locale specified by a identifier
00:01:812 Registry Opened HKCR\Licenses
00:01:827 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors
00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\9
00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6
00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}
Enumerated registry keys

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0\win32
00:01:844 Registry Opened HKCR\TypeLib

00:01:844 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common
HKCU\Software\Microsoft\VBA\6.0\Common
RequireDeclaration
NotifyUserBeforeStateLoss
CompileOnDemand
BreakOnServerErrors
BreakOnAllErrors
BackGroundCompile
00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\e76f95de-9a60-
00:02:391 Files Deleted
474e-bc19-d357098c474a.LNK
65001f64
00:02:484 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\hjnmlsfmmz.LNK
00:02:687 Files Read C:\Users\Public\287.txt
00:02:766 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp
00:02:766 Files Read C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp
File Operations,
00:02:766 Retrieved the path of the directory designated for temporary files
miscellaneous
Created a name for a temporary file

File Operations,
00:02:766
miscellaneous
00:02:905 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
00:03:062 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\287.LNK
00:03:078 Files Read C:\Users\Public\287.xls
{88D969E5-F192-11D4-A65F-0040963251E5}
{871C5380-42A0-1069-A2EA-08002B30309D}
00:03:546
Process Created
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
c:\windows\system32\certutil.exe
"c:\windows\system32\certutil.exe" -decode c:\users\public\287.txt
c:\users\public\287a.txt
Process Operations,
00:03:766 Enabled an application to supersede the top-level exception handler
miscellaneous
File Operations,
miscellaneous
00:03:766 Others Retrieved information about a locale specified by a identifier
00:03:780 Files Read C:\Windows

File Operations,
00:03:780
miscellaneous
00:03:780 Files Deleted C:\Windows\cerE3B8.tmp
00:03:812 Others
format
00:03:812 Others Retrieved the current local date and time
00:03:828 Process killed Ended itself and all of its threads
C:\Users\Public\287a.txt
Write
00:03:828 Files Created
Normal
"c:\windows\system32\certutil.exe" -decodehex c:\users\public\287a.txt
c:\users\public\287.dll
00:06:750 Files Deleted C:\Windows\cerEF51.tmp
C:\Users\Public\287.dll
Write
00:06:781 Files Created Normal
c:\windows\system32\rundll32.exe
00:09:656 Process Created "c:\windows\system32\rundll32.exe" c:\users\public\287.dll,d
File Operations,
miscellaneous
File Operations,
00:09:671 Obtained a set of FAT file system attributes for a file or directory
miscellaneous
Process Operations,
00:09:671 ffffffff
miscellaneous
Process Operations,
miscellaneous
Network Operations,
00:09:812 Set an Internet option: 6
miscellaneous
Network Operations,
miscellaneous
Network Operations,
miscellaneous
Process Operations, Established a connection to the service control manager and open the service control
00:09:843 miscellaneous manager database
Process Operations,
00:09:843 Obtained the current status of a service
miscellaneous
00:09:843 Process Opened Terminated an existing service's handle:sens
Opened an existing service sens

00:09:843 Process Opened
HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
00:09:875 Registry Opened HKLM\System\Setup
HKU\S-1-5-21-2969830022-2362906686-2146684197-
ProxyOverride
HKU\S-1-5-21-2969830022-2362906686-2146684197-
AutoConfigURL
HKLM\System\Setup
SystemSetupInProgress
HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Opened
500\Software\Microsoft\windows\CurrentVersion\Internet Settings
00:09:875 Registry Opened HKU\S-1-5-21-2969830022-2362906686-2146684197-500
HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
HKU\S-1-5-21-2969830022-2362906686-2146684197-
ProxyServer
HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
Process Operations,
00:09:875 Opened the access token associated with a process
miscellaneous
Process Operations,
00:09:875 Opened the access token associated with a thread
miscellaneous
Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
00:09:875
miscellaneous interval elapses
00:09:875 Others Obtained information about an access token
00:09:875 Others Retrieved the user's logon name
HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Created
500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
00:09:890 Registry Opened HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig
00:09:890 Registry Opened HKCR\AutoProxyTypes\Application/x-internet-signup
HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig
Flags
FileExtensions
DllFile
Default
HKCR\AutoProxyTypes\Application/x-internet-signup
Flags
FileExtensions
DllFile
Default
HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
00:09:890 Registry Modified
0
REG_DWORD
00:09:890 Registry Opened HKCR\AutoProxyTypes
HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet Settings
Expanded environment-variable strings and replace them with the values defined for
00:09:890 Others
the current use
HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:890 Registry Deleted 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
AutoConfigURL
HKU\S-1-5-21-2969830022-2362906686-2146684197-
ProxyServer
HKU\S-1-5-21-2969830022-2362906686-2146684197-
ProxyOverride
75ef97be
00:09:906 Socket Activities Created a socket
00:09:906 DNS Queries Translated a host name into an IP address
Network Operations,
00:09:906 Retrieved the Internet connected state of the local system
miscellaneous
HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet
00:09:906 Registry Modified Settings\Connections\SavedLegacySettings
46
REG_BINARY
Network Operations,
00:09:906 Set an Internet option: 4a
miscellaneous
Network Operations,
miscellaneous
Initialized the WinINet functions, Agent name: mozilla/4.0 (compatible; msie 7.0;
Network Operations, windows nt 6.1; wow64; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr
00:09:953
miscellaneous 3.0.30729; media center pc 6.0; infopath.2; .net4.0c; .net4.0e), Access type: PRECONFIG
Flags: PORT_NUMBER
00:09:953 Socket Activities Obtained the local name (address) for a socket
Network Operations,
00:09:953 Set an Internet option: 2d
miscellaneous
00:09:953 Socket Activities IP:127.0.0.1, Port:46292
Network Operations,
00:09:953 Set an Internet option: 6c
miscellaneous
HKCU\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
00:09:968 Registry Opened HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKLM\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
Network Operations,
00:09:968 Opened a HTTP or FTP session for a given site: 207.154.235.218
miscellaneous
Network Operations,
00:09:968 miscellaneous Verb: get, ObjectName: /campo/z/z, Version: , Referer: , Flags: 400010, Context: 610f40
00:09:968 Registry Opened HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl
00:09:984 Socket Activities Obtained information about a given networking service
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
00:10:000 Socket Activities Obtained information about next service in order of networking providers
00:10:000 Others
format
Process Operations,
00:10:000 Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous
Process Operations, Decremented a thread's suspend count

00:10:000
miscellaneous
75efe44f
Network Operations,
00:10:015 Set an Internet option: 3e
miscellaneous
Network Operations,
miscellaneous
Network Operations,
miscellaneous
Network Operations,
miscellaneous
Network Operations,
00:10:015 Set an Internet option: 3a
miscellaneous
Network Operations,
miscellaneous
Network Operations,
miscellaneous
Network Operations,
miscellaneous
Network Operations,
miscellaneous
Network Operations,
00:10:031 Headers: , HeaderLength: 0, Optional: , OptionalLength: 0
miscellaneous
00:10:046 DNS Queries Translated a host name WIN-AUPGCV3CTSS into an IP address
{DCB00C01-570F-4A9B-8D69-199FDBA5723B}
{00000323-0000-0000-C000-000000000046}
{A47979D2-C419-11D9-A5B4-001185AD2B89}
{0000032A-0000-0000-C000-000000000046}
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
{CC771B05-B3AC-42A3-AA57-C69F699B075A}
00:10:093 Registry Opened HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
WpadLastNetwork
00:12:640 DNS Queries Translated a host name WPAD into an IP address
00:12:828 Files Deleted C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Excel_restart.xml
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\52-54-00-bc-78-23
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadDecision
3
REG_DWORD
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadDecisionReason
1
REG_DWORD
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadDecisionTime
938F7A40
REG_BINARY
HKCU\Software\Microsoft\windows\CurrentVersion\Internet
Settings\Wpad\WpadLastNetwork
{CC771B05-B3AC-42A3-AA57-C69F699B075A}
REG_SZ
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadNetworkName
Network 2
REG_SZ
HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet
00:21:125 Registry Modified Settings\Connections\DefaultConnectionSettings
46
REG_BINARY
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-
00-bc-78-23\WpadDecisionTime
938F7A40
REG_BINARY
00-bc-78-23\WpadDecisionReason
1
REG_DWORD
00-bc-78-23\WpadDecision
3
REG_DWORD
00-bc-78-23
00:21:141 DNS Queries Translated a host name 207.154.235.218 into an IP address

00:21:156 Socket Activities Sent data on a connected socket
00:21:156 Socket Activities Received data from a connected or bound socket
00:21:156 Socket Activities Controlled the I/O mode of the newly created socket
00:21:156 Socket Activities Converted a short value from TCP/IP network byte order to host byte order
00:21:156 Socket Activities Converted a short value from host to TCP/IP network byte order
Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
00:21:218
miscellaneous interval elapses
00:21:266 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\~DF4FBD1279679237E9.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel12.pip
Write
8100000
00:21:360 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\CVRD6F7.tmp.cvr
00:21:360 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\55031.od
Process Operations,
miscellaneous
19890709
Read
Normal
C:\Users\Public\287.dll
Read
Normal
File Operations,
miscellaneous
00:23:687 Socket Activities Closed the socket
c:\programdata\ui1\ui1.exe
Process Operations, Deactivated the activation context corresponding to the specified cookie
00:23:702
miscellaneous
Engine Analysis
Engine Threat Name Severity
GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High
GTI URL Reputation Malicious Sites ⬤ 5 - Very High
Gateway Anti-Malware RDN/Generic Dropper ⬤ 5 - Very High
Anti-Malware RDN/Generic Dropper ⬤ 5 - Very High
YARA
Custom Rules
Sandbox Malware.Dynamic ⬤ 3 - Medium
Final ⬤ 5 - Very High
Sample is malicious: final severity level 5
Embedded/Dropped content
MD5 Name Category
B4164149FFC43C2BF55CB66922E738B0 287.dll * ---
A9785077E79D7CD71C7436FC03626C48 287a.txt * ---
C9DCB40CDA09159AD0F8A55BCC81AD01 e76f95de-9a60-474e-bc19-d357098c474a.vba * ---
0DAC27616DC859C94A6CC2E7FBEFEC3D Excel12.pip * ---
* Attachments were extracted from the sample file and stored in the dropfiles.zip
Screenshots
Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample
Images: 2
10a7a.jpg
105c7.jpg
62665.xls
Run-Time Dlls: 8
api-ms-win-appmodel-runtime-l1-1-0.dll
mso.dll
vbe6intl.dll
vbe6.dll
comctl32.dll
oleaut32.dll
shlwapi.dll
version.dll
File Operations: 35
Files Created
File Name Access Mode File Attributes
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel12.pip Write 8100000
Files Opened
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config Read Normal
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000

Files Deleted
C:\Users\ADMINI~1\AppData\Local\Temp\55031.od
C:\Users\ADMINI~1\AppData\Local\Temp\CVRD6F7.tmp.cvr
C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp
C:\Users\ADMINI~1\AppData\Local\Temp\~DF4FBD1279679237E9.TMP
C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Excel_restart.xml
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\287.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\e76f95de-9a60-474e-bc19-d357098c474a.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\hjnmlsfmmz.LNK
Files Read
C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp
C:\Users\Public\287.txt
C:\Users\Public\287.xls
C:\Windows\Microsoft.NET\Framework\
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-d357098c474a.xls
Other
Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
Obtained a set of FAT file system attributes for a file or directory
Obtained the current directory for the current process
Obtained the path of the Windows system directory
Retrieved the full path for the module
Retrieved the path of the directory designated for temporary files
Searched a directory for the name: C:\Program Files (x86)\Microsoft Office\Office12\xlstart\*.*
Searched a directory for the name: C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*
Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
Searched a directory for the name: C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-d357098c474a.xls
Registry Operations: 41
Registry Created
Registry Opened
HKCR\Licenses
HKCR\TypeLib
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0\win32
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\409
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\9
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf
HKCU\Software\Microsoft\.NETFramework
HKCU\Software\Microsoft\Office\12.0\Excel
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\VBA\Monitors
HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
HKLM\Software\Microsoft\VBA
HKLM\Software\Microsoft\Windows\CurrentVersion
Registry Read
Enumerated registry keys
HKCU\Software\Microsoft\Office\12.0\Excel DisableThreadAffinity
HKCU\Software\Microsoft\VBA\6.0\Common BackGroundCompile
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnAllErrors
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnServerErrors
HKCU\Software\Microsoft\VBA\6.0\Common CompileOnDemand
HKCU\Software\Microsoft\VBA\6.0\Common NotifyUserBeforeStateLoss
HKCU\Software\Microsoft\VBA\6.0\Common RequireDeclaration
HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks
HKLM\Software\Microsoft\.NETFramework InstallRoot
HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR
HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\VBA Vbe6DllPath
HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir
Other
Enumerated the values for an open registry key

Process Operations: 27
Process Created
Process Name Module
"c:\windows\system32\certutil.exe" -decode c:\users\public\287.txt

c:\users\public\287a.txt
"c:\windows\system32\certutil.exe" -decodehex c:\users\public\287a.txt

c:\users\public\287.dll
c:\windows\system32\rundll32.exe "c:\windows\system32\rundll32.exe" c:\users\public\287.dll,d
{0E5AAE11-A475-4C5B-AB00-
C66DE400274E}
{1F486A52-3CB1-48FD-8F50-
B8DC300D9F9D}
{7B8A2D94-0AC9-11D1-896C-
00C04FB6BFC4}
{871C5380-42A0-1069-A2EA-
08002B30309D}
{88D969E5-F192-11D4-A65F-
0040963251E5}
{88D969EC-8B8B-4C3D-859E-
AF6CD158BE0F}
{88D969EF-F192-11D4-A65F-
0040963251E5}
{C1EE01F2-B3B6-4A6A-9DDD-
E988C088EC82}
{DFFACDC5-679F-4156-8947-
C5C76BC0B67F}
{FA445657-9379-11D6-B41A-
00065B83EE53}
Process killed
Ended itself and all of its threads
Thread Created
2f7e368f
65001f64
Other
Changed the protection attribute of process address: 0x2f8630dc, new attribute: Execute_Read
Changed the protection attribute of process address: 0x2f8630dc, new attribute: Execute_ReadWrite
Deactivated the activation context corresponding to the specified cookie
Initialized COM library for the current thread and set it in the concurrency mode
Install a new hook procedure (type: WH_KEYBOARD)
Install a new hook procedure (type: WH_MSGFILTER)
Obtained the contents of the specified variable from the environment block of the calling process
Obtained the identifier of the thread or process that created the specified window
Queried the activation context
Retrieved information on a specific string in the current activation context

Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
Network Operations: 1
Socket Activities
Retrieved the name of the network resource associated with a local device
Other Operations: 6
Others
Initialized a critical section object and set the spin count for the critical section
Obtained the current system date and time in in Coordinated Universal Time (UTC) format
Obtained the system metric or system configuration setting
Recorded system information
Retrieved information about a locale specified by a identifier
Retrieved the current local date and time
certutil.exe
File Operations: 7
Files Created
C:\Users\Public\287.dll Write Normal
C:\Users\Public\287a.txt Write Normal
Files Deleted
C:\Windows\cerE3B8.tmp
C:\Windows\cerEF51.tmp
Files Read
C:\Windows
Other
Process killed
Other
Enabled an application to supersede the top-level exception handler
Other Operations: 3
Others
Retrieved information about a locale specified by a identifier
Retrieved the current local date and time

rundll32.exe
Run-Time Dlls: 11
287.dll
dfdts.dll
dhcpcsvc.dll
iphlpapi.dll
kernel32.dll
normaliz.dll
ole32.dll
oleaut32.dll
rasapi32.dll
sensapi.dll
urlmon.dll
File Operations: 2
Other
Obtained a set of FAT file system attributes for a file or directory
Registry Operations: 50
Registry Created
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-B3AC-42A3-AA57-C69F699B075A}\52-54-00-bc-78-23
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
Registry Opened
HKCR\AutoProxyTypes
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-bc-78-23
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-B3AC-42A3-AA57-C69F699B075A}
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKLM\System\Setup
HKU\S-1-5-21-2969830022-2362906686-2146684197-500
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings
Registry Deleted
Key Value
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings AutoConfigURL
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyOverride
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyServer
Registry Modified
Key NewValue Type
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-bc-
3 REG_DWORD
78-23\WpadDecision
1 REG_DWORD
78-23\WpadDecisionReason
938F7A40 REG_BINARY
78-23\WpadDecisionTime
{CC771B05-B3AC-
HKCU\Software\Microsoft\windows\CurrentVersion\Internet
42A3-AA57- REG_SZ
Settings\Wpad\WpadLastNetwork
C69F699B075A}
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-
3 REG_DWORD
B3AC-42A3-AA57-C69F699B075A}\WpadDecision
1 REG_DWORD
B3AC-42A3-AA57-C69F699B075A}\WpadDecisionReason
938F7A40 REG_BINARY
B3AC-42A3-AA57-C69F699B075A}\WpadDecisionTime
Network 2 REG_SZ
B3AC-42A3-AA57-C69F699B075A}\WpadNetworkName
HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet 46 REG_BINARY
Settings\Connections\DefaultConnectionSettings
HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet 46 REG_BINARY
Settings\Connections\SavedLegacySettings
HKU\S-1-5-21-2969830022-2362906686-2146684197-
0 REG_DWORD
500\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
Registry Read
HKCR\AutoProxyTypes\Application/x-internet-signup Default
HKCR\AutoProxyTypes\Application/x-internet-signup DllFile
HKCR\AutoProxyTypes\Application/x-internet-signup FileExtensions
HKCR\AutoProxyTypes\Application/x-internet-signup Flags
HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig Default
HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig DllFile
HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig FileExtensions
HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig Flags
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad WpadLastNetwork
HKLM\System\Setup SystemSetupInProgress
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
AutoConfigURL
Settings
ProxyEnable
Settings
ProxyOverride
Settings
ProxyServer
Settings
DefaultConnectionSettings
Settings\Connections
SavedLegacySettings
Settings\Connections
Process Created
Process Name Module
c:\programdata\ui1\ui1.exe
{00000323-0000-0000-C000-000000000046}
{0000032A-0000-0000-C000-000000000046}
{A47979D2-C419-11D9-A5B4-001185AD2B89}
{DCB00C01-570F-4A9B-8D69-199FDBA5723B}
Process Opened
Process Name/Address PID/Process Name
Opened an existing service sens
Terminated an existing service's handle:sens
Process killed
Thread Created
75ef97be
75efe44f
Other
)"54515
Deactivated the activation context corresponding to the specified cookie
Decremented a thread's suspend count
Enabled an application to supersede the top-level exception handler
Established a connection to the service control manager and open the service control manager database
Initialized COM library for the current thread and set it in the concurrency mode
Obtained the current status of a service
Opened the access token associated with a process
Opened the access token associated with a thread
Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
ffffffff
Network Operations: 39
DNS Queries
Translated a host name into an IP address
Translated a host name 207.154.235.218 into an IP address
Translated a host name WIN-AUPGCV3CTSS into an IP address
Translated a host name WPAD into an IP address
Socket Activities
Closed the socket
Controlled the I/O mode of the newly created socket
Converted a short value from TCP/IP network byte order to host byte order
Converted a short value from host to TCP/IP network byte order
Created a socket
IP:0.0.0.0, Port:0
IP:127.0.0.1, Port:0
IP:127.0.0.1, Port:46292
IP:207.154.235.218, Port:20480
Obtained information about a given networking service
Obtained information about next service in order of networking providers
Obtained the local name (address) for a socket
Received data from a connected or bound socket
Sent data on a connected socket
Other
Headers: , HeaderLength: 0, Optional: , OptionalLength: 0
Initialized the WinINet functions, Agent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/4.0; slcc2; .net clr 2.0.50727;
.net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; infopath.2; .net4.0c; .net4.0e), Access type: PRECONFIG Flags: PORT_NUMBER
Opened a HTTP or FTP session for a given site: 207.154.235.218
Retrieved the Internet connected state of the local system
Set an Internet option: 2
Set an Internet option: 2d
Set an Internet option: 3a
Set an Internet option: 3e
Set an Internet option: 4a

Set an Internet option: 6c
Verb: get, ObjectName: /campo/z/z, Version: , Referer: , Flags: 400010, Context: 610f40
Other Operations: 5
Others
Expanded environment-variable strings and replace them with the values defined for the current use
Initialized a critical section object and set the spin count for the critical section
Obtained information about an access token
Retrieved the user's logon name
McAfee Active Response
Status: Product is not Available
© 2020 McAfee, LLC. All rights reserved.

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

Copyright:

Available Formats

McAfee Advanced Threat Defense

| Threat Analysis Report

File Name 62665.xls Threat Level ⬤ 5 - Very High

Malware Name TYPE_TROJAN Engine GTI File Reputation

File Submitted 2021-04-19 03:46:03 UTC Processing Time 46 seconds

File Size 118,784 bytes Sandbox Replication 38 seconds

Show More Hash Values File Details Environment

MD5 Hash Identifier F23ACD80B83B3BC1EA1503E94E1831F8

SHA-1 Hash Identifier B7FA3A434710EA5B4AC48A3B46D0339EFC84542B

Hide hash values

File Type Composite Document File V2 Document, Microsoft Office Application

Hide file details

Windows® Internet Explorer version: 8.0.7601.17514

Microsoft Office version: 2007

PDF Reader version: 11.0

No Flash player installed

Flash player plugin version: 22.0.0.209

Platform Version 4.12.0.7

Detection Package Version 4.12.0.201112

Exploiting, Shellcode ⬤ 3 - Medium

Detected executable files embedded in or dropped by the sample ⬤ 3 - Medium

Detected scripting content embedded in the sample ⬤ 2 - Low

Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 2 - Low

Attempted to execute service ⬤ 2 - Low

Queried for system network configuration information ⬤ 2 - Low

Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that

Downloaded data from a webserver ⬤ 2 - Low

Connected to a specific service provider ⬤ 2 - Low

Altered Web Proxy Auto-Discovery Protocol (WPAD) for rerouting of the

Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 2 - Low

Set hook procedure to control system activities ⬤ 2 - Low

Persistence, Installation Boot Survival ⬤ 1 - Informational

Retrieved system information such as Processor Architecture,Number ⬤ 1-

GTI Web/URL Reputation

URL Port Reputation Category Name Risk Group Functional Group

207.154.235.218 80 High Risk Malicious Sites Security Risk/Fraud/Crime

WIN-AUPGCV3CTSS 80 Unknown Risk --- --- ---

62665.xls dropped by 62665.xls & loaded by MATD Analyzer ⬤ 3 - Medium

287.dll dropped by 62665.xls ⬤ Unverified

certutil.exe executed by excel ⬤ 1 - Informational

rundll32.exe executed by excel ⬤ 2 - Low

Processes Files Registry Operations Network Operations Multiple Operations

Select Any Area to Zoom In

Jump to Timeline Details

Techniques Observed (MITRE ATT&CK™ Matrix)

User Execution Execution

Offile file contains VBA code ⬤ 1 - Very Low

Service Execution Execution

Attempted to execute service ⬤ 2 - Low

Scripting Execution, Defense Evasion

Detected executable files embedded in or dropped

Detected scripting content embedded in the sample ⬤ 2 - Low

Rundll32 Execution, Defense Evasion

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries

Spawned Rundll32 Process ⬤ 1 - Very Low

Hooking Persistence, Privilege Escalation, Credential Access

Windows processes often leverage application programming interface (API) functions to

Set hook procedure to control system activities ⬤ 2 - Low

Network Share Discovery Discovery

Retrieved the name of the network resource

System Information Discovery Discovery

Retrieves a NetBIOS or DNS name associated with

Retrieved system information such as Processor