0% found this document useful (0 votes)

69 views

Threat Analysis Report: Hash Values File Details Environment

The document provides a threat analysis report for a file called 62665.xls. It was detected as malware by McAfee Advanced Threat Defense. The report details the file properties, detected behaviors and their severity levels, connected websites, processes analyzed, and timeline of activity. Techniques observed that could be used by an adversary are also listed.

Uploaded by

todo nothing

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

69 views

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

todo nothing

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 25

McAfee Advanced Threat Defense

| Threat Analysis Report

File Name 62665.xls Threat Level ⬤ 5 - Very High

Malware Name TYPE_TROJAN Engine GTI File Reputation

File Submitted 2021-04-19 03:46:03 UTC Processing Time 46 seconds

File Size 118,784 bytes Sandbox Replication 38 seconds

Show More Hash Values File Details Environment

MD5 Hash Identifier F23ACD80B83B3BC1EA1503E94E1831F8

SHA-1 Hash Identifier B7FA3A434710EA5B4AC48A3B46D0339EFC84542B

SHA-256 Hash
5DE6C7BA93850C642099DB3239AAE491BD93BC2DBDFD4FECFDD64E5D9A9D4685
Identifier

Screenshots 2

Hide hash values

File Type Composite Document File V2 Document, Microsoft Office Application

Hide file details

Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit

Windows® Internet Explorer version: 8.0.7601.17514

Microsoft Office version: 2007

PDF Reader version: 11.0

No Flash player installed

Flash player plugin version: 22.0.0.209

Platform Version 4.12.0.7

Detection Package Version 4.12.0.201112

Hide environment

Behavior Classification

Behavior Severity

Exploiting, Shellcode ⬤ 3 - Medium

Detected executable files embedded in or dropped by the sample ⬤ 3 - Medium

Detected scripting content embedded in the sample ⬤ 2 - Low

⬤ 1-
Offile file contains VBA code
Informational

Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 2 - Low

Attempted to execute service ⬤ 2 - Low

⬤ 1-
Spawned Rundll32 Process
Informational

⬤ 1-
Retrieves a NetBIOS or DNS name associated with the local computer
Informational

⬤ 1-
Offile file contains VBA code
Informational
⬤ 1-
Changed the protection attribute of the process
Informational

Networking ⬤ 2 - Low

Queried for system network configuration information ⬤ 2 - Low

Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that

⬤ 2 - Low
WinInet attempts to resolve and connect to a host

Downloaded data from a webserver ⬤ 2 - Low

Connected to a specific service provider ⬤ 2 - Low

Altered Web Proxy Auto-Discovery Protocol (WPAD) for rerouting of the

⬤ 2 - Low
network traffic

⬤ 1-
Retrieved the name of the network resource associated with a local device
Informational

⬤ 1-
Offile file contains VBA code
Informational

Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 2 - Low

Set hook procedure to control system activities ⬤ 2 - Low

⬤ 1-
Offile file contains VBA code
Informational

⬤ 1-
Contained long sleep
Informational

Persistence, Installation Boot Survival ⬤ 1 - Informational

⬤ 1-
Offile file contains VBA code
Informational

Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 1 - Informational

Retrieved system information such as Processor Architecture,Number ⬤ 1-

Processors,Processor Type Informational

⬤ 1-
Offile file contains VBA code
Informational

⬤ 1-
Obtained user's logon name
Informational

⬤ 1-
Contained long sleep
Informational

Spreading ⬤ 1 - Informational

⬤ 1-
Offile file contains VBA code
Informational

GTI Web/URL Reputation

Connected Sites: 2

URL Port Reputation Category Name Risk Group Functional Group

207.154.235.218 80 High Risk Malicious Sites Security Risk/Fraud/Crime

WIN-AUPGCV3CTSS 80 Unknown Risk --- --- ---

Processes Analyzed
Name Reason Severity

62665.xls dropped by 62665.xls & loaded by MATD Analyzer ⬤ 3 - Medium

287.dll dropped by 62665.xls ⬤ Unverified

certutil.exe executed by excel ⬤ 1 - Informational

rundll32.exe executed by excel ⬤ 2 - Low

Timeline Activity

Processes Files Registry Operations Network Operations Multiple Operations

Select Any Area to Zoom In

62665.xls

287.dll

certutil.exe

rundll32.exe

0 3 6 9 12 15 18 21
Offset in seconds

Jump to Timeline Details

Techniques Observed (MITRE ATT&CK™ Matrix)

Technique Tactics

User Execution Execution

An adversary may rely upon specific actions by a user in order to gain execution.
This may be direct code execution, such as when a user opens a malicious executable
delivered via Spearphishing Attachment with the icon and apparent extension of a
document file. It also may lead to other execution techniques, such as when a user
clicks on a link delivered via Spearphishing Link that leads to exploitation of a
browser or application vulnerability via Exploitation for Client Execution. While
User Execution frequently occurs shortly after Initial Access it may occur at other
phases of an intrusion, such as when an adversary places a file in a shared directory
or on a user's desktop hoping that a user will click on it.

Offile file contains VBA code ⬤ 1 - Very Low

Service Execution Execution

Adversaries may execute a binary, command, or script via a method that interacts with
Windows services, such as the Service Control Manager. This can be done by either
creating a new service or modifying an existing service. This technique is the
execution used in conjunction with New Service and Modify Existing Service during
service persistence or privilege escalation.

Attempted to execute service ⬤ 2 - Low

Scripting Execution, Defense Evasion

Adversaries may use scripts to aid in operations and perform multiple actions that
would otherwise be manual. Scripting is useful for speeding up operational tasks and
reducing the time required to gain access to critical resources. Some scripting
languages may be used to bypass process monitoring mechanisms by directly interacting
with the operating system at an API level instead of calling other programs. Common
scripting languages for Windows include VBScript and PowerShell but could also be in
the form of command-line batch scripts.

Detected executable files embedded in or dropped

⬤ 3 - Medium
by the sample

Detected scripting content embedded in the sample ⬤ 2 - Low

Rundll32 Execution, Defense Evasion

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries

may take advantage of this functionality to proxy execution of code to avoid
triggering security tools that may not monitor execution of the rundll32.exe process
because of whitelists or false positives from Windows using rundll32.exe for normal
operations.

Spawned Rundll32 Process ⬤ 1 - Very Low

Hooking Persistence, Privilege Escalation, Credential Access

Windows processes often leverage application programming interface (API) functions to

perform tasks that require reusable system resources. Windows API functions are
typically stored in dynamic-link libraries (DLLs) as exported functions.

Set hook procedure to control system activities ⬤ 2 - Low

Network Share Discovery Discovery

Networks often contain shared network drives and folders that enable users to access
file directories on various systems across a network.

Retrieved the name of the network resource

⬤ 1 - Very Low
associated with a local device

System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and
hardware, including version, patches, hotfixes, service packs, and architecture.

Retrieves a NetBIOS or DNS name associated with

⬤ 1 - Very Low
the local computer

Retrieved system information such as Processor

⬤ 1 - Very Low
Architecture,Number Processors,Processor Type

Obtained user's logon name ⬤ 1 - Very Low

System Network Configuration Discovery Discovery

Adversaries will likely look for details about the network configuration and settings
of systems they access or through information discovery of remote systems. Several
operating system administration utilities exist that can be used to gather this
information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Queried for system network configuration

⬤ 2 - Low
information

Remote File Copy Lateral Movement, Command and Control

Files may be copied from one system to another to stage adversary tools or other
files over the course of an operation. Files may be copied from an external
adversary-controlled system through the Command and Control channel to bring tools
into the victim network or through alternate protocols with another tool such as FTP.
Files can also be copied over on Mac and Linux with native tools like scp, rsync, and
sftp.

Connected to a specific service provider ⬤ 2 - Low

Standard Application Layer Protocol Command and Control

Adversaries may communicate using a common, standardized application layer protocol
such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing
traffic. Commands to the remote system, and often the results of those commands, will
be embedded within the protocol traffic between the client and server.

Downloaded data from a webserver ⬤ 2 - Low

Connected to a specific service provider ⬤ 2 - Low

Commonly Used Port Command and Control

Adversaries may communicate over a commonly used port to bypass firewalls or network
detection systems and to blend with normal network activity to avoid more detailed
inspection.

Connected to a specific service provider ⬤ 2 - Low

Timeline Activity Details

Time Offset Event Details

Process Operations,
00:00:000 )"54515
miscellaneous

Process Operations, Obtained the contents of the specified variable from the environment block of the
00:00:485
miscellaneous calling process

File Operations,
00:00:500 Obtained the path of the Windows system directory
miscellaneous

00:00:500 Registry Opened HKLM\Software\Microsoft\Windows\CurrentVersion

File Operations,
00:00:500 Retrieved the full path for the module
miscellaneous

Process Operations, Changed the protection attribute of process address: 0x2f8630dc, new attribute:
00:00:500
miscellaneous Execute_ReadWrite

Process Operations, Changed the protection attribute of process address: 0x2f8630dc, new attribute:
00:00:500
miscellaneous Execute_Read

HKLM\Software\Microsoft\Windows\CurrentVersion
00:00:500 Registry Read
CommonFilesDir

Process Operations, Retrieved information on a specific string in the current activation context
00:00:500
miscellaneous

00:00:500 Others Initialized a critical section object and set the spin count for the critical section

00:00:531 Registry Opened HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf

00:00:578 Others Obtained the system metric or system configuration setting

Process Operations, Deactivated the activation context corresponding to the specified cookie
00:00:578
miscellaneous

Process Operations, Queried the activation context

00:00:578
miscellaneous

2f7e368f
00:00:641 Thread Created

00:00:641 Others Recorded system information

00:00:641 Registry Opened HKCU\Software\Microsoft\Office\12.0\Excel

HKCU\Software\Microsoft\Office\12.0\Excel
00:00:641 Registry Read
DisableThreadAffinity

{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}
00:00:656 Process Created

Process Operations,
00:00:672 Obtained the identifier of the thread or process that created the specified window
miscellaneous

00:00:703 Registry Opened HKCU\Software\Microsoft\.NETFramework

C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config

Read
00:00:766 Files Opened
Normal

HKLM\Software\Microsoft\.NETFramework
00:00:766 Registry Read
UseLegacyV2RuntimeActivationPolicyDefaultValue

HKLM\Software\Microsoft\.NETFramework
00:00:766 Registry Read
OnlyUseLatestCLR

HKLM\Software\Microsoft\.NETFramework
00:00:766 Registry Read
InstallRoot

File Operations,
00:00:766 Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous

00:00:766 Registry Opened HKLM\Software\Microsoft\.NETFramework

File Operations,
00:00:766 Obtained a set of FAT file system attributes for a file or directory
miscellaneous

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll
20000
00:00:766 Files Opened
10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll
20000
00:00:766 Files Opened
10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll
20000
00:00:766 Files Opened
10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll
20000
00:00:766 Files Opened
10000000

C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll
20000
00:00:766 Files Opened
10000000

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll
20000
00:00:766 Files Opened
10000000

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll
20000
00:00:766 Files Opened
10000000

00:00:766 Files Read C:\Windows\Microsoft.NET\Framework\

00:00:781 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion

HKLM\SOFTWARE\Microsoft\Fusion
00:00:781 Registry Read
NoClientChecks

Registry Operations, Enumerated the values for an open registry key

00:00:781
miscellaneous

00:00:781 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

00:00:781 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

00:00:828 Others Retrieved the current local date and time

Process Operations,
00:01:093 Install a new hook procedure (type: WH_MSGFILTER)
miscellaneous

Process Operations,
00:01:093 Install a new hook procedure (type: WH_KEYBOARD)
miscellaneous

Process Operations,
00:01:110 Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous

{FA445657-9379-11D6-B41A-00065B83EE53}
00:01:125 Process Created

File Operations,
00:01:172 Obtained the current directory for the current process
miscellaneous

File Operations, Searched a directory for the name:

00:01:187
miscellaneous C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*

File Operations, Searched a directory for the name: C:\Program Files (x86)\Microsoft
00:01:187
miscellaneous Office\Office12\xlstart\*.*

File Operations, Searched a directory for the name: C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-

00:01:391
miscellaneous d357098c474a.xls

{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
00:01:406 Process Created

00:01:422 Files Read C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-d357098c474a.xls

00:01:500 Socket Activities Retrieved the name of the network resource associated with a local device

Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:01:516 Others
format

File Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or
00:01:547
miscellaneous network drive

{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
00:01:672 Process Created

{88D969EF-F192-11D4-A65F-0040963251E5}
00:01:687 Process Created

HKLM\Software\Microsoft\VBA
00:01:797 Registry Read
Vbe6DllPath

00:01:797 Registry Opened HKLM\Software\Microsoft\VBA

00:01:812 Others Retrieved information about a locale specified by a identifier

00:01:812 Registry Opened HKCR\Licenses

00:01:827 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\9

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}

Enumerated registry keys

00:01:844 Registry Read

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0\win32

00:01:844 Registry Opened HKCR\TypeLib

00:01:844 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\409

00:01:844 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common

HKCU\Software\Microsoft\VBA\6.0\Common
00:01:844 Registry Read
RequireDeclaration

HKCU\Software\Microsoft\VBA\6.0\Common
00:01:844 Registry Read
NotifyUserBeforeStateLoss

HKCU\Software\Microsoft\VBA\6.0\Common
00:01:844 Registry Read
CompileOnDemand

HKCU\Software\Microsoft\VBA\6.0\Common
00:01:844 Registry Read
BreakOnServerErrors

HKCU\Software\Microsoft\VBA\6.0\Common
00:01:844 Registry Read
BreakOnAllErrors

HKCU\Software\Microsoft\VBA\6.0\Common
00:01:844 Registry Read
BackGroundCompile

00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32

00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0

00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4

00:01:860 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}

00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}

00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0

00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0

00:01:860 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32

{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
00:02:280 Process Created

{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
00:02:280 Process Created

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\e76f95de-9a60-
00:02:391 Files Deleted
474e-bc19-d357098c474a.LNK

65001f64
00:02:421 Thread Created

00:02:484 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\hjnmlsfmmz.LNK

00:02:687 Files Read C:\Users\Public\287.txt

00:02:766 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp

00:02:766 Files Read C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp

File Operations,
00:02:766 Retrieved the path of the directory designated for temporary files
miscellaneous

Created a name for a temporary file

File Operations,
00:02:766
miscellaneous

00:02:905 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Public.LNK

00:03:062 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\287.LNK

00:03:078 Files Read C:\Users\Public\287.xls

{88D969E5-F192-11D4-A65F-0040963251E5}
00:03:296 Process Created

{871C5380-42A0-1069-A2EA-08002B30309D}
00:03:546
Process Created

{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
00:03:578 Process Created

c:\windows\system32\certutil.exe
"c:\windows\system32\certutil.exe" -decode c:\users\public\287.txt
00:03:609 Process Created
c:\users\public\287a.txt

Process Operations,
00:03:766 Enabled an application to supersede the top-level exception handler
miscellaneous

File Operations,
00:03:766 Retrieved the full path for the module
miscellaneous

00:03:766 Others Retrieved information about a locale specified by a identifier

00:03:780 Files Read C:\Windows

Created a name for a temporary file

File Operations,
00:03:780
miscellaneous

00:03:780 Files Deleted C:\Windows\cerE3B8.tmp

Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:03:812 Others
format

00:03:812 Others Retrieved the current local date and time

00:03:828 Process killed Ended itself and all of its threads

C:\Users\Public\287a.txt
Write
00:03:828 Files Created
Normal

c:\windows\system32\certutil.exe
"c:\windows\system32\certutil.exe" -decodehex c:\users\public\287a.txt
00:06:625 Process Created
c:\users\public\287.dll

00:06:750 Files Deleted C:\Windows\cerEF51.tmp

C:\Users\Public\287.dll
Write
00:06:781 Files Created Normal

c:\windows\system32\rundll32.exe
00:09:656 Process Created "c:\windows\system32\rundll32.exe" c:\users\public\287.dll,d

File Operations,
00:09:671 Retrieved the full path for the module
miscellaneous

File Operations,
00:09:671 Obtained a set of FAT file system attributes for a file or directory
miscellaneous

Process Operations,
00:09:671 ffffffff
miscellaneous

Process Operations,
00:09:671 Enabled an application to supersede the top-level exception handler
miscellaneous

Network Operations,
00:09:812 Set an Internet option: 6
miscellaneous

Network Operations,
00:09:812 Set an Internet option: 5
miscellaneous

Network Operations,
00:09:812 Set an Internet option: 2
miscellaneous

Process Operations, Established a connection to the service control manager and open the service control
00:09:843 miscellaneous manager database

Process Operations,
00:09:843 Obtained the current status of a service
miscellaneous

00:09:843 Process Opened Terminated an existing service's handle:sens

Opened an existing service sens

00:09:843 Process Opened

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable

00:09:875 Registry Opened HKLM\System\Setup

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyOverride

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
AutoConfigURL

HKLM\System\Setup
00:09:875 Registry Read
SystemSetupInProgress

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Opened
500\Software\Microsoft\windows\CurrentVersion\Internet Settings

00:09:875 Registry Opened HKU\S-1-5-21-2969830022-2362906686-2146684197-500

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyServer

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Read 500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings

Process Operations,
00:09:875 Opened the access token associated with a process
miscellaneous

Process Operations,
00:09:875 Opened the access token associated with a thread
miscellaneous

Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
00:09:875
miscellaneous interval elapses

00:09:875 Others Obtained information about an access token

00:09:875 Others Retrieved the user's logon name

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:875 Registry Created
500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

00:09:890 Registry Opened HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig

00:09:890 Registry Opened HKCR\AutoProxyTypes\Application/x-internet-signup

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig
00:09:890 Registry Read
Flags

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig
00:09:890 Registry Read
FileExtensions

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig
00:09:890 Registry Read
DllFile

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig
00:09:890 Registry Read
Default

HKCR\AutoProxyTypes\Application/x-internet-signup
00:09:890 Registry Read
Flags
HKCR\AutoProxyTypes\Application/x-internet-signup
00:09:890 Registry Read
FileExtensions

HKCR\AutoProxyTypes\Application/x-internet-signup
00:09:890 Registry Read
DllFile

HKCR\AutoProxyTypes\Application/x-internet-signup
00:09:890 Registry Read
Default

HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
00:09:890 Registry Modified
0
REG_DWORD

00:09:890 Registry Opened HKCR\AutoProxyTypes

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:890 Registry Created
500\Software\Microsoft\windows\CurrentVersion\Internet Settings

Expanded environment-variable strings and replace them with the values defined for
00:09:890 Others
the current use

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:890 Registry Deleted 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
AutoConfigURL

00:09:890 Others Initialized a critical section object and set the spin count for the critical section

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:890 Registry Deleted 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyServer

HKU\S-1-5-21-2969830022-2362906686-2146684197-
00:09:890 Registry Deleted 500\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyOverride

75ef97be
00:09:906 Thread Created

00:09:906 Socket Activities Created a socket

00:09:906 DNS Queries Translated a host name into an IP address

Network Operations,
00:09:906 Retrieved the Internet connected state of the local system
miscellaneous

HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet
00:09:906 Registry Modified Settings\Connections\SavedLegacySettings
46
REG_BINARY

Network Operations,
00:09:906 Set an Internet option: 4a
miscellaneous

Network Operations,
00:09:906 Set an Internet option: 49
miscellaneous

Initialized the WinINet functions, Agent name: mozilla/4.0 (compatible; msie 7.0;
Network Operations, windows nt 6.1; wow64; trident/4.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr
00:09:953
miscellaneous 3.0.30729; media center pc 6.0; infopath.2; .net4.0c; .net4.0e), Access type: PRECONFIG
Flags: PORT_NUMBER

00:09:953 Socket Activities Obtained the local name (address) for a socket

Network Operations,
00:09:953 Set an Internet option: 2d
miscellaneous

00:09:953 Socket Activities IP:127.0.0.1, Port:46292

00:09:953 Socket Activities IP:127.0.0.1, Port:0

Network Operations,
00:09:953 Set an Internet option: 6c
miscellaneous

HKCU\Software\Microsoft\Internet
00:09:968 Registry Opened
Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
00:09:968 Registry Opened HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl

HKCU\Software\Microsoft\Internet
00:09:968 Registry Opened
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

HKLM\Software\Microsoft\Internet
00:09:968 Registry Opened
Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209

HKLM\Software\Microsoft\Internet
00:09:968 Registry Opened
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

Network Operations,
00:09:968 Opened a HTTP or FTP session for a given site: 207.154.235.218
miscellaneous

Network Operations,
00:09:968 miscellaneous Verb: get, ObjectName: /campo/z/z, Version: , Referer: , Flags: 400010, Context: 610f40

00:09:968 Registry Opened HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl

00:09:984 Socket Activities Obtained information about a given networking service

HKCU\Software\Microsoft\Internet
00:10:000 Registry Opened
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

HKLM\Software\Microsoft\Internet
00:10:000 Registry Opened
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

00:10:000 Socket Activities Obtained information about next service in order of networking providers

Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:10:000 Others
format

Process Operations,
00:10:000 Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous

Process Operations, Decremented a thread's suspend count

00:10:000
miscellaneous

75efe44f
00:10:000 Thread Created

Network Operations,
00:10:015 Set an Internet option: 3e
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 66
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 44
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 65
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 3a
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 64
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 56
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 58
miscellaneous

Network Operations,
00:10:015 Set an Internet option: 41
miscellaneous

Network Operations,
00:10:031 Headers: , HeaderLength: 0, Optional: , OptionalLength: 0
miscellaneous

00:10:046 DNS Queries Translated a host name WIN-AUPGCV3CTSS into an IP address

{DCB00C01-570F-4A9B-8D69-199FDBA5723B}
00:10:062 Process Created
{00000323-0000-0000-C000-000000000046}
00:10:062 Process Created

{A47979D2-C419-11D9-A5B4-001185AD2B89}
00:10:078 Process Created

{0000032A-0000-0000-C000-000000000046}
00:10:078 Process Created

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
00:10:093 Registry Opened
{CC771B05-B3AC-42A3-AA57-C69F699B075A}

00:10:093 Registry Opened HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
00:10:093 Registry Read
WpadLastNetwork

00:12:640 DNS Queries Translated a host name WPAD into an IP address

00:12:828 Files Deleted C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Excel_restart.xml

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
00:21:125 Registry Created
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\52-54-00-bc-78-23

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadDecision
00:21:125 Registry Modified
3
REG_DWORD

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadDecisionReason
00:21:125 Registry Modified
1
REG_DWORD

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadDecisionTime
00:21:125 Registry Modified
938F7A40
REG_BINARY

HKCU\Software\Microsoft\windows\CurrentVersion\Internet
Settings\Wpad\WpadLastNetwork
00:21:125 Registry Modified
{CC771B05-B3AC-42A3-AA57-C69F699B075A}
REG_SZ

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\
{CC771B05-B3AC-42A3-AA57-C69F699B075A}\WpadNetworkName
00:21:125 Registry Modified
Network 2
REG_SZ

HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet
00:21:125 Registry Modified Settings\Connections\DefaultConnectionSettings
46
REG_BINARY

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-
00-bc-78-23\WpadDecisionTime
00:21:125 Registry Modified
938F7A40
REG_BINARY

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-
00-bc-78-23\WpadDecisionReason
00:21:125 Registry Modified
1
REG_DWORD

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-
00-bc-78-23\WpadDecision
00:21:125 Registry Modified
3
REG_DWORD

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-
00:21:125 Registry Opened
00-bc-78-23

00:21:141 DNS Queries Translated a host name 207.154.235.218 into an IP address

00:21:156 Socket Activities IP:207.154.235.218, Port:20480

00:21:156 Socket Activities IP:0.0.0.0, Port:0

00:21:156 Socket Activities Sent data on a connected socket

00:21:156 Socket Activities Received data from a connected or bound socket

00:21:156 Socket Activities Controlled the I/O mode of the newly created socket

00:21:156 Socket Activities Converted a short value from TCP/IP network byte order to host byte order

00:21:156 Socket Activities Converted a short value from host to TCP/IP network byte order

Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
00:21:218
miscellaneous interval elapses

00:21:266 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\~DF4FBD1279679237E9.TMP

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel12.pip
Write
00:21:266 Files Created
8100000

00:21:360 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\CVRD6F7.tmp.cvr

00:21:360 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\55031.od

00:21:360 Process killed Ended itself and all of its threads

00:21:860 Others Initialized a critical section object and set the spin count for the critical section

Process Operations,
00:21:860 Enabled an application to supersede the top-level exception handler
miscellaneous

19890709
Read
00:21:860 Files Opened
Normal

C:\Users\Public\287.dll
Read
00:21:860 Files Created
Normal

File Operations,
00:21:860 Retrieved the full path for the module
miscellaneous

00:23:687 Socket Activities Closed the socket

c:\programdata\ui1\ui1.exe
00:23:702 Process Created

00:23:702 Process killed Ended itself and all of its threads

Process Operations, Deactivated the activation context corresponding to the specified cookie
00:23:702
miscellaneous

Engine Analysis

Engine Threat Name Severity

GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High

GTI URL Reputation Malicious Sites ⬤ 5 - Very High

Gateway Anti-Malware RDN/Generic Dropper ⬤ 5 - Very High

Anti-Malware RDN/Generic Dropper ⬤ 5 - Very High

YARA
Custom Rules

Sandbox Malware.Dynamic ⬤ 3 - Medium

Final ⬤ 5 - Very High

Sample is malicious: final severity level 5

Embedded/Dropped content

MD5 Name Category

B4164149FFC43C2BF55CB66922E738B0 287.dll * ---

A9785077E79D7CD71C7436FC03626C48 287a.txt * ---

C9DCB40CDA09159AD0F8A55BCC81AD01 e76f95de-9a60-474e-bc19-d357098c474a.vba * ---

0DAC27616DC859C94A6CC2E7FBEFEC3D Excel12.pip * ---

* Attachments were extracted from the sample file and stored in the dropfiles.zip

Screenshots

Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample

Images: 2

10a7a.jpg
105c7.jpg

62665.xls

Run-Time Dlls: 8
api-ms-win-appmodel-runtime-l1-1-0.dll

mso.dll

vbe6intl.dll

vbe6.dll

comctl32.dll

oleaut32.dll

shlwapi.dll

version.dll

File Operations: 35

Files Created

File Name Access Mode File Attributes

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel12.pip Write 8100000

Files Opened

File Name Access Mode File Attributes

C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config Read Normal

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll 20000 10000000

Files Deleted

C:\Users\ADMINI~1\AppData\Local\Temp\55031.od

C:\Users\ADMINI~1\AppData\Local\Temp\CVRD6F7.tmp.cvr

C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp

C:\Users\ADMINI~1\AppData\Local\Temp\~DF4FBD1279679237E9.TMP

C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Excel_restart.xml

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\287.LNK

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Public.LNK

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\e76f95de-9a60-474e-bc19-d357098c474a.LNK

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\hjnmlsfmmz.LNK

Files Read

C:\Users\ADMINI~1\AppData\Local\Temp\DFC2.tmp

C:\Users\Public\287.txt

C:\Users\Public\287.xls

C:\Windows\Microsoft.NET\Framework\

C:\Windows\Microsoft.NET\Framework\v2.0.50727

C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-d357098c474a.xls

Other

Created a name for a temporary file

Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive

Obtained a set of FAT file system attributes for a file or directory

Obtained the current directory for the current process

Obtained the path of the Windows system directory

Retrieved the full path for the module

Retrieved the path of the directory designated for temporary files

Searched a directory for the name: C:\Program Files (x86)\Microsoft Office\Office12\xlstart\.

Searched a directory for the name: C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\.

Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*

Searched a directory for the name: C:\hjnmlsfmmz\e76f95de-9a60-474e-bc19-d357098c474a.xls

Registry Operations: 41

Registry Created

HKCU\Software\Microsoft\VBA\6.0\Common

Registry Opened

HKCR\Licenses

HKCR\TypeLib

HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0

HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0

HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32

HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}

HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6

HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0

HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0\win32

HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\409

HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\9

HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}

HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4

HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0

HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32

HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf

HKCU\Software\Microsoft\.NETFramework

HKCU\Software\Microsoft\Office\12.0\Excel

HKLM\SOFTWARE\Microsoft\Fusion

HKLM\SOFTWARE\Microsoft\VBA\Monitors

HKLM\Software\Microsoft\.NETFramework

HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

HKLM\Software\Microsoft\VBA

HKLM\Software\Microsoft\Windows\CurrentVersion

Registry Read

Enumerated registry keys

HKCU\Software\Microsoft\Office\12.0\Excel DisableThreadAffinity

HKCU\Software\Microsoft\VBA\6.0\Common BackGroundCompile

HKCU\Software\Microsoft\VBA\6.0\Common BreakOnAllErrors

HKCU\Software\Microsoft\VBA\6.0\Common BreakOnServerErrors

HKCU\Software\Microsoft\VBA\6.0\Common CompileOnDemand

HKCU\Software\Microsoft\VBA\6.0\Common NotifyUserBeforeStateLoss

HKCU\Software\Microsoft\VBA\6.0\Common RequireDeclaration

HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks

HKLM\Software\Microsoft\.NETFramework InstallRoot

HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR

HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue

HKLM\Software\Microsoft\VBA Vbe6DllPath

HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir

Other

Enumerated the values for an open registry key

Process Operations: 27

Process Created

Process Name Module

"c:\windows\system32\certutil.exe" -decode c:\users\public\287.txt

c:\windows\system32\certutil.exe
c:\users\public\287a.txt

"c:\windows\system32\certutil.exe" -decodehex c:\users\public\287a.txt

c:\windows\system32\certutil.exe
c:\users\public\287.dll

c:\windows\system32\rundll32.exe "c:\windows\system32\rundll32.exe" c:\users\public\287.dll,d

{0E5AAE11-A475-4C5B-AB00-
C66DE400274E}

{1F486A52-3CB1-48FD-8F50-
B8DC300D9F9D}

{7B8A2D94-0AC9-11D1-896C-
00C04FB6BFC4}

{871C5380-42A0-1069-A2EA-
08002B30309D}

{88D969E5-F192-11D4-A65F-
0040963251E5}

{88D969EC-8B8B-4C3D-859E-
AF6CD158BE0F}

{88D969EF-F192-11D4-A65F-
0040963251E5}

{C1EE01F2-B3B6-4A6A-9DDD-
E988C088EC82}

{DFFACDC5-679F-4156-8947-
C5C76BC0B67F}

{FA445657-9379-11D6-B41A-
00065B83EE53}

Process killed

Ended itself and all of its threads

Thread Created

2f7e368f

65001f64

Other

Changed the protection attribute of process address: 0x2f8630dc, new attribute: Execute_Read

Changed the protection attribute of process address: 0x2f8630dc, new attribute: Execute_ReadWrite

Deactivated the activation context corresponding to the specified cookie

Initialized COM library for the current thread and set it in the concurrency mode

Install a new hook procedure (type: WH_KEYBOARD)

Install a new hook procedure (type: WH_MSGFILTER)

Obtained the contents of the specified variable from the environment block of the calling process

Obtained the identifier of the thread or process that created the specified window

Queried the activation context

Retrieved information on a specific string in the current activation context

Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses

Network Operations: 1

Socket Activities

Retrieved the name of the network resource associated with a local device

Other Operations: 6

Others

Initialized a critical section object and set the spin count for the critical section

Obtained the current system date and time in in Coordinated Universal Time (UTC) format

Obtained the system metric or system configuration setting

Recorded system information

Retrieved information about a locale specified by a identifier

Retrieved the current local date and time

certutil.exe

File Operations: 7

Files Created

File Name Access Mode File Attributes

C:\Users\Public\287.dll Write Normal

C:\Users\Public\287a.txt Write Normal

Files Deleted

C:\Windows\cerE3B8.tmp

C:\Windows\cerEF51.tmp

Files Read

C:\Windows

Other

Created a name for a temporary file

Retrieved the full path for the module

Process Operations: 2

Process killed

Ended itself and all of its threads

Other

Enabled an application to supersede the top-level exception handler

Other Operations: 3

Others

Obtained the current system date and time in in Coordinated Universal Time (UTC) format

Retrieved information about a locale specified by a identifier

Retrieved the current local date and time

rundll32.exe

Run-Time Dlls: 11
287.dll

dfdts.dll

dhcpcsvc.dll

iphlpapi.dll

kernel32.dll

normaliz.dll

ole32.dll

oleaut32.dll

rasapi32.dll

sensapi.dll

urlmon.dll

File Operations: 2

Other

Obtained a set of FAT file system attributes for a file or directory

Retrieved the full path for the module

Registry Operations: 50

Registry Created

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-B3AC-42A3-AA57-C69F699B075A}\52-54-00-bc-78-23

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

Registry Opened

HKCR\AutoProxyTypes

HKCR\AutoProxyTypes\Application/x-internet-signup

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-bc-78-23

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-B3AC-42A3-AA57-C69F699B075A}

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

HKLM\System\Setup

HKU\S-1-5-21-2969830022-2362906686-2146684197-500
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings

Registry Deleted

Key Value

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings AutoConfigURL

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyOverride

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyServer

Registry Modified

Key NewValue Type

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-bc-
3 REG_DWORD
78-23\WpadDecision

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-bc-
1 REG_DWORD
78-23\WpadDecisionReason

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-bc-
938F7A40 REG_BINARY
78-23\WpadDecisionTime

{CC771B05-B3AC-
HKCU\Software\Microsoft\windows\CurrentVersion\Internet
42A3-AA57- REG_SZ
Settings\Wpad\WpadLastNetwork
C69F699B075A}

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-
3 REG_DWORD
B3AC-42A3-AA57-C69F699B075A}\WpadDecision

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-
1 REG_DWORD
B3AC-42A3-AA57-C69F699B075A}\WpadDecisionReason

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-
938F7A40 REG_BINARY
B3AC-42A3-AA57-C69F699B075A}\WpadDecisionTime

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{CC771B05-
Network 2 REG_SZ
B3AC-42A3-AA57-C69F699B075A}\WpadNetworkName

HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet 46 REG_BINARY
Settings\Connections\DefaultConnectionSettings

HKU\S-1-5-21-2969830022-2362906686-2146684197-
500\Software\Microsoft\windows\CurrentVersion\Internet 46 REG_BINARY
Settings\Connections\SavedLegacySettings

HKU\S-1-5-21-2969830022-2362906686-2146684197-
0 REG_DWORD
500\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

Registry Read

HKCR\AutoProxyTypes\Application/x-internet-signup Default

HKCR\AutoProxyTypes\Application/x-internet-signup DllFile

HKCR\AutoProxyTypes\Application/x-internet-signup FileExtensions

HKCR\AutoProxyTypes\Application/x-internet-signup Flags

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig Default

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig DllFile

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig FileExtensions

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig Flags

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad WpadLastNetwork

HKLM\System\Setup SystemSetupInProgress

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
AutoConfigURL
Settings
HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
ProxyEnable
Settings

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
ProxyOverride
Settings

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
ProxyServer
Settings

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
DefaultConnectionSettings
Settings\Connections

HKU\S-1-5-21-2969830022-2362906686-2146684197-500\Software\Microsoft\windows\CurrentVersion\Internet
SavedLegacySettings
Settings\Connections

Process Operations: 21

Process Created

Process Name Module

c:\programdata\ui1\ui1.exe

{00000323-0000-0000-C000-000000000046}

{0000032A-0000-0000-C000-000000000046}

{A47979D2-C419-11D9-A5B4-001185AD2B89}

{DCB00C01-570F-4A9B-8D69-199FDBA5723B}

Process Opened

Process Name/Address PID/Process Name

Opened an existing service sens

Terminated an existing service's handle:sens

Process killed

Ended itself and all of its threads

Thread Created

75ef97be

75efe44f

Other

)"54515

Deactivated the activation context corresponding to the specified cookie

Decremented a thread's suspend count

Enabled an application to supersede the top-level exception handler

Established a connection to the service control manager and open the service control manager database

Initialized COM library for the current thread and set it in the concurrency mode

Obtained the current status of a service

Opened the access token associated with a process

Opened the access token associated with a thread

Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses

ffffffff
Network Operations: 39

DNS Queries

Translated a host name into an IP address

Translated a host name 207.154.235.218 into an IP address

Translated a host name WIN-AUPGCV3CTSS into an IP address

Translated a host name WPAD into an IP address

Socket Activities

Closed the socket

Controlled the I/O mode of the newly created socket

Converted a short value from TCP/IP network byte order to host byte order

Converted a short value from host to TCP/IP network byte order

Created a socket

IP:0.0.0.0, Port:0

IP:127.0.0.1, Port:0

IP:127.0.0.1, Port:46292

IP:207.154.235.218, Port:20480

Obtained information about a given networking service

Obtained information about next service in order of networking providers

Obtained the local name (address) for a socket

Received data from a connected or bound socket

Sent data on a connected socket

Other

Headers: , HeaderLength: 0, Optional: , OptionalLength: 0

Initialized the WinINet functions, Agent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/4.0; slcc2; .net clr 2.0.50727;
.net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; infopath.2; .net4.0c; .net4.0e), Access type: PRECONFIG Flags: PORT_NUMBER

Opened a HTTP or FTP session for a given site: 207.154.235.218

Retrieved the Internet connected state of the local system

Set an Internet option: 2

Set an Internet option: 2d

Set an Internet option: 3a

Set an Internet option: 3e

Set an Internet option: 41

Set an Internet option: 44

Set an Internet option: 49

Set an Internet option: 4a

Set an Internet option: 5

Set an Internet option: 56

Set an Internet option: 58

Set an Internet option: 6

Set an Internet option: 64

Set an Internet option: 65

Set an Internet option: 66

Set an Internet option: 6c

Verb: get, ObjectName: /campo/z/z, Version: , Referer: , Flags: 400010, Context: 610f40

Other Operations: 5

Others

Expanded environment-variable strings and replace them with the values defined for the current use

Initialized a critical section object and set the spin count for the critical section

Obtained information about an access token

Obtained the current system date and time in in Coordinated Universal Time (UTC) format

Retrieved the user's logon name

McAfee Active Response

Status: Product is not Available

Alert Analysis L1 External
No ratings yet
Alert Analysis L1 External
7 pages
SOC 200 Syllabus
No ratings yet
SOC 200 Syllabus
7 pages
Practical Malware Analysis - Part 2 Dynamic Analysis
No ratings yet
Practical Malware Analysis - Part 2 Dynamic Analysis
33 pages
Predictive Targeting Suite V2 Manual
No ratings yet
Predictive Targeting Suite V2 Manual
28 pages
Threat Analysis Report
No ratings yet
Threat Analysis Report
18 pages
Threat Analysis Report: Paymentinv
No ratings yet
Threat Analysis Report: Paymentinv
54 pages
Windows Defenses
No ratings yet
Windows Defenses
12 pages
Threat Analysis Report: Hash Values File Details Environment
No ratings yet
Threat Analysis Report: Hash Values File Details Environment
24 pages
Mitre ATT@CK Matrix - Windows Logging - Basic: High Confidence or Covereage Medium Confidence or Coverage
No ratings yet
Mitre ATT@CK Matrix - Windows Logging - Basic: High Confidence or Covereage Medium Confidence or Coverage
27 pages
2017 BSidesCharm DetectingtheElusive ActiveDirectoryThreatHunting Final
No ratings yet
2017 BSidesCharm DetectingtheElusive ActiveDirectoryThreatHunting Final
92 pages
Living Off Theland An APT Case Study
No ratings yet
Living Off Theland An APT Case Study
30 pages
2019 06 26 AntiEDR PDF
No ratings yet
2019 06 26 AntiEDR PDF
67 pages
Dechaining Macros and Evading EDR PDF
No ratings yet
Dechaining Macros and Evading EDR PDF
10 pages
Global Verdict Report 4
No ratings yet
Global Verdict Report 4
35 pages
2023 10 BluehatUS
No ratings yet
2023 10 BluehatUS
42 pages
1745213572774
No ratings yet
1745213572774
9 pages
Haboob Team: Windows Privilege Escalations
No ratings yet
Haboob Team: Windows Privilege Escalations
17 pages
Bsides Hunt-Or-Be-Hunted 2017
No ratings yet
Bsides Hunt-Or-Be-Hunted 2017
30 pages
Threat Analysis Report: Hash Values File Details Environment
No ratings yet
Threat Analysis Report: Hash Values File Details Environment
25 pages
Advanced Malware Analysis 2020
No ratings yet
Advanced Malware Analysis 2020
20 pages
Mitre Att&Ck - Enterprise
No ratings yet
Mitre Att&Ck - Enterprise
4,044 pages
Splunk Use Case.
No ratings yet
Splunk Use Case.
18 pages
Threat Analysis Report: Hash Values File Details Environment
No ratings yet
Threat Analysis Report: Hash Values File Details Environment
28 pages
Hunting For Privilege Escalation in Windows Environment
No ratings yet
Hunting For Privilege Escalation in Windows Environment
99 pages
Cheat Sheet For Windows Privilege Escalation
No ratings yet
Cheat Sheet For Windows Privilege Escalation
5 pages
Apt Attacks Map Government 2019
No ratings yet
Apt Attacks Map Government 2019
1 page
Sandbox Analysis Report: A N A L y S I S O V e R V I e W
No ratings yet
Sandbox Analysis Report: A N A L y S I S O V e R V I e W
24 pages
MITRE ATTCK Framework Spreadsheet
No ratings yet
MITRE ATTCK Framework Spreadsheet
11 pages
Hybrid Attack Matrix
No ratings yet
Hybrid Attack Matrix
16 pages
Table Top Exercise
No ratings yet
Table Top Exercise
32 pages
Threat Hunting Workshop Public
No ratings yet
Threat Hunting Workshop Public
58 pages
QRadar High Level Threat Cases
No ratings yet
QRadar High Level Threat Cases
6 pages
Abusing Privileged File Operations: Privilege Escalation Low-Hanging Fruits
No ratings yet
Abusing Privileged File Operations: Privilege Escalation Low-Hanging Fruits
21 pages
Windows & Active Directory Exploitation
No ratings yet
Windows & Active Directory Exploitation
30 pages
Windows Privilege Escalation
100% (1)
Windows Privilege Escalation
30 pages
CH1- Introduction to malware analysis-v1
No ratings yet
CH1- Introduction to malware analysis-v1
23 pages
Report
No ratings yet
Report
16 pages
APT HUNTER For Abnormalities
No ratings yet
APT HUNTER For Abnormalities
36 pages
Identification and Detection
No ratings yet
Identification and Detection
22 pages
Alert Rules
No ratings yet
Alert Rules
471 pages
0xcybery Github Io Blog Splunk Use Cases
No ratings yet
0xcybery Github Io Blog Splunk Use Cases
14 pages
Computer Forensics Presentation
No ratings yet
Computer Forensics Presentation
231 pages
Cobalt Strike (s0154)
No ratings yet
Cobalt Strike (s0154)
12 pages
Alissa Torres @sibertor #Sansenterprisesummit 3 Jun 2019
No ratings yet
Alissa Torres @sibertor #Sansenterprisesummit 3 Jun 2019
40 pages
Group Policy Object Settings
No ratings yet
Group Policy Object Settings
27 pages
manual_en
No ratings yet
manual_en
11 pages
EDDC5C6B045DD998AE1771131B6C51DA1548C2E7_report_va
No ratings yet
EDDC5C6B045DD998AE1771131B6C51DA1548C2E7_report_va
48 pages
Windows - Privilege Escalation - Internal All the Things
No ratings yet
Windows - Privilege Escalation - Internal All the Things
3 pages
WPE
No ratings yet
WPE
202 pages
Windows - Privilege Escalation
No ratings yet
Windows - Privilege Escalation
34 pages
6) CEH v12 - System Hacking & Malware Threats Notes
No ratings yet
6) CEH v12 - System Hacking & Malware Threats Notes
32 pages
The Advanced Persistent Threat: Lewis Brodnax Founding Principal, Talion LLC
No ratings yet
The Advanced Persistent Threat: Lewis Brodnax Founding Principal, Talion LLC
34 pages
Understanding Advanced Persistent Threat (APT)
No ratings yet
Understanding Advanced Persistent Threat (APT)
24 pages
Cybersecurity Analyst Logs Analysis Exercises
No ratings yet
Cybersecurity Analyst Logs Analysis Exercises
46 pages
060-003
No ratings yet
060-003
106 pages
Gpo Setting
No ratings yet
Gpo Setting
5 pages
Intrusion Detection Systems
No ratings yet
Intrusion Detection Systems
53 pages
ch2 3
No ratings yet
ch2 3
45 pages
Caldera APT3
No ratings yet
Caldera APT3
16 pages
Global Verdict Report
No ratings yet
Global Verdict Report
8 pages
HACKING WITH KALI LINUX PENETRATION TESTING: Mastering Ethical Hacking Techniques with Kali Linux (2024 Guide for Beginners)
From Everand
HACKING WITH KALI LINUX PENETRATION TESTING: Mastering Ethical Hacking Techniques with Kali Linux (2024 Guide for Beginners)
BARBARA HEATH
No ratings yet
Mosquitoes Investigation 2023
No ratings yet
Mosquitoes Investigation 2023
6 pages
Srs Document Demo
No ratings yet
Srs Document Demo
4 pages
Online Employee Payroll Management System Project
No ratings yet
Online Employee Payroll Management System Project
5 pages
TOS 22402 Winter 19th I SCHEME Paper Model Answer Paper
No ratings yet
TOS 22402 Winter 19th I SCHEME Paper Model Answer Paper
25 pages
Matlab Vs Mathematica: Forums Mathematics Math Software and Latex
No ratings yet
Matlab Vs Mathematica: Forums Mathematics Math Software and Latex
9 pages
FACP Power Supply QCDD 2022
No ratings yet
FACP Power Supply QCDD 2022
2 pages
Cyber Security
No ratings yet
Cyber Security
23 pages
Ic 8855
No ratings yet
Ic 8855
36 pages
1.0 Whole Numbers-Math 100
No ratings yet
1.0 Whole Numbers-Math 100
30 pages
It Is Suitability For Large Companies
No ratings yet
It Is Suitability For Large Companies
3 pages
TSX SCP 114 + Cable
No ratings yet
TSX SCP 114 + Cable
12 pages
Laporan Aktualisasi: by Raymond Mangapultua Janius Jansen
No ratings yet
Laporan Aktualisasi: by Raymond Mangapultua Janius Jansen
12 pages
SRS
No ratings yet
SRS
40 pages
Jitsi User Guide English
No ratings yet
Jitsi User Guide English
12 pages
Full download Test Bank for Network Security Essentials Applications and Standards, 5/E 5th Edition William Stallings pdf docx
100% (16)
Full download Test Bank for Network Security Essentials Applications and Standards, 5/E 5th Edition William Stallings pdf docx
42 pages
Naylor, Stoffel Et Al. 2008 - Why Isn't Our Chat Reference
No ratings yet
Naylor, Stoffel Et Al. 2008 - Why Isn't Our Chat Reference
13 pages
Seminar DevOPS Mohamed Nejjar SS23 03757306
No ratings yet
Seminar DevOPS Mohamed Nejjar SS23 03757306
57 pages
ITAI Report
No ratings yet
ITAI Report
32 pages
Photometer 4040: Manual Photometric System For Standard Cuvettes
No ratings yet
Photometer 4040: Manual Photometric System For Standard Cuvettes
2 pages
Getting Started With MySQL Command Line
No ratings yet
Getting Started With MySQL Command Line
8 pages
Free Charge
No ratings yet
Free Charge
3 pages
KBM255 Series 2018
No ratings yet
KBM255 Series 2018
4 pages
Final Report On Blood Donation Website
100% (1)
Final Report On Blood Donation Website
63 pages
Epson Printer LX310 Dot Matrix LX-310 LX 310
No ratings yet
Epson Printer LX310 Dot Matrix LX-310 LX 310
2 pages
Cambridge IGCSE: Computer Science 0478/21
No ratings yet
Cambridge IGCSE: Computer Science 0478/21
2 pages
ACER Veriton N4
No ratings yet
ACER Veriton N4
2 pages
SPR Time Table 23-24-4
No ratings yet
SPR Time Table 23-24-4
32 pages
v1 Covered
No ratings yet
v1 Covered
7 pages
MANSCI Systems of Linear Inequalities (R)
No ratings yet
MANSCI Systems of Linear Inequalities (R)
13 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.