Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2023, 11:23

General

  • Target

    6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls

  • Size

    1.7MB

  • MD5

    d7ffa2f0230caaa0ef7834fdbfdc1467

  • SHA1

    43c9a03ad4268e89fb22e57969ea912efcdbb1fa

  • SHA256

    6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760

  • SHA512

    e37d66848add3cd981c7eb523462ca76ccf938ed3594b1e70b906220f2a57bef7622ce975142645019db48e4da2c14983165a99dbb45a3c56912afb1f22e6486

  • SSDEEP

    49152:0QmmQ30Tupp6VLQmmQ3085n6VkiNhv3tBUXDnHgk6EDS:0pmQkTamLpmQkomkMhKDl6

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 8 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1136
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe
      "C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2484

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2398AB6F.emf

          Filesize

          1.4MB

          MD5

          a01b9617553432807b9b58025b338d97

          SHA1

          439bdcc450408b9735b2428c2d53d2e6977fa58c

          SHA256

          7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

          SHA512

          312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

        • C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

          Filesize

          376KB

          MD5

          08defe80ace1f032875c8127ae5e4481

          SHA1

          2d7ba957be6c89cd3633a63dfd8e925a90d40bd4

          SHA256

          ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062

          SHA512

          09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

        • C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

          Filesize

          376KB

          MD5

          08defe80ace1f032875c8127ae5e4481

          SHA1

          2d7ba957be6c89cd3633a63dfd8e925a90d40bd4

          SHA256

          ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062

          SHA512

          09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

        • C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

          Filesize

          376KB

          MD5

          08defe80ace1f032875c8127ae5e4481

          SHA1

          2d7ba957be6c89cd3633a63dfd8e925a90d40bd4

          SHA256

          ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062

          SHA512

          09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

        • \Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

          Filesize

          376KB

          MD5

          08defe80ace1f032875c8127ae5e4481

          SHA1

          2d7ba957be6c89cd3633a63dfd8e925a90d40bd4

          SHA256

          ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062

          SHA512

          09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

        • \Users\Admin\AppData\Local\Temp\nso8161.tmp\System.dll

          Filesize

          11KB

          MD5

          3f176d1ee13b0d7d6bd92e1c7a0b9bae

          SHA1

          fe582246792774c2c9dd15639ffa0aca90d6fd0b

          SHA256

          fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

          SHA512

          0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

        • memory/1136-55-0x0000000073ECD000-0x0000000073ED8000-memory.dmp

          Filesize

          44KB

        • memory/1136-82-0x0000000073ECD000-0x0000000073ED8000-memory.dmp

          Filesize

          44KB

        • memory/1136-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1136-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1136-104-0x0000000073ECD000-0x0000000073ED8000-memory.dmp

          Filesize

          44KB

        • memory/2484-81-0x00000000037A0000-0x0000000004417000-memory.dmp

          Filesize

          12.5MB

        • memory/2484-83-0x00000000037A0000-0x0000000004417000-memory.dmp

          Filesize

          12.5MB