Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
05/08/2023, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls
Resource
win10v2004-20230703-en
General
-
Target
6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls
-
Size
1.7MB
-
MD5
d7ffa2f0230caaa0ef7834fdbfdc1467
-
SHA1
43c9a03ad4268e89fb22e57969ea912efcdbb1fa
-
SHA256
6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760
-
SHA512
e37d66848add3cd981c7eb523462ca76ccf938ed3594b1e70b906220f2a57bef7622ce975142645019db48e4da2c14983165a99dbb45a3c56912afb1f22e6486
-
SSDEEP
49152:0QmmQ30Tupp6VLQmmQ3085n6VkiNhv3tBUXDnHgk6EDS:0pmQkTamLpmQkomkMhKDl6
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2948 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2484 IBS_Cortana.exe -
Loads dropped DLL 2 IoCs
pid Process 2948 EQNEDT32.EXE 2484 IBS_Cortana.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 8 IoCs
resource yara_rule behavioral1/files/0x00060000000162e4-68.dat nsis_installer_1 behavioral1/files/0x00060000000162e4-68.dat nsis_installer_2 behavioral1/files/0x00060000000162e4-67.dat nsis_installer_1 behavioral1/files/0x00060000000162e4-67.dat nsis_installer_2 behavioral1/files/0x00060000000162e4-71.dat nsis_installer_1 behavioral1/files/0x00060000000162e4-71.dat nsis_installer_2 behavioral1/files/0x00060000000162e4-72.dat nsis_installer_1 behavioral1/files/0x00060000000162e4-72.dat nsis_installer_2 -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2948 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1136 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1136 EXCEL.EXE 1136 EXCEL.EXE 1136 EXCEL.EXE 1136 EXCEL.EXE 1136 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2484 2948 EQNEDT32.EXE 29 PID 2948 wrote to memory of 2484 2948 EQNEDT32.EXE 29 PID 2948 wrote to memory of 2484 2948 EQNEDT32.EXE 29 PID 2948 wrote to memory of 2484 2948 EQNEDT32.EXE 29
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1136
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe"C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a01b9617553432807b9b58025b338d97
SHA1439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA2567a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee
-
Filesize
376KB
MD508defe80ace1f032875c8127ae5e4481
SHA12d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA51209fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7
-
Filesize
376KB
MD508defe80ace1f032875c8127ae5e4481
SHA12d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA51209fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7
-
Filesize
376KB
MD508defe80ace1f032875c8127ae5e4481
SHA12d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA51209fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7
-
Filesize
376KB
MD508defe80ace1f032875c8127ae5e4481
SHA12d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA51209fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6