Analysis Overview
SHA256
6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760
Threat Level: Known bad
The file 6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Office document contains embedded OLE objects
Launches Equation Editor
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-05 11:23
Signatures
Office document contains embedded OLE objects
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-05 11:23
Reported
2023-08-05 11:25
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/4720-133-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-135-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-134-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-136-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-137-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-140-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-138-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-139-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-141-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-142-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-143-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-144-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-145-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-146-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-147-0x00007FFAA8CC0000-0x00007FFAA8CD0000-memory.dmp
memory/4720-148-0x00007FFAA8CC0000-0x00007FFAA8CD0000-memory.dmp
memory/4720-149-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-150-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-151-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-152-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-153-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-154-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-155-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-156-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-166-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
memory/4720-170-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8BED6E60.emf
| MD5 | a01b9617553432807b9b58025b338d97 |
| SHA1 | 439bdcc450408b9735b2428c2d53d2e6977fa58c |
| SHA256 | 7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce |
| SHA512 | 312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee |
memory/4720-203-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-204-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-205-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-206-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp
memory/4720-207-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-05 11:23
Reported
2023-08-05 11:25
Platform
win7-20230712-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 2484 | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe |
| PID 2948 wrote to memory of 2484 | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe |
| PID 2948 wrote to memory of 2484 | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe |
| PID 2948 wrote to memory of 2484 | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe
"C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe"
Network
| Country | Destination | Domain | Proto |
| US | 198.46.176.189:80 | 198.46.176.189 | tcp |
Files
memory/1136-55-0x0000000073ECD000-0x0000000073ED8000-memory.dmp
memory/1136-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe
| MD5 | 08defe80ace1f032875c8127ae5e4481 |
| SHA1 | 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4 |
| SHA256 | ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062 |
| SHA512 | 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7 |
C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe
| MD5 | 08defe80ace1f032875c8127ae5e4481 |
| SHA1 | 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4 |
| SHA256 | ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062 |
| SHA512 | 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7 |
C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe
| MD5 | 08defe80ace1f032875c8127ae5e4481 |
| SHA1 | 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4 |
| SHA256 | ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062 |
| SHA512 | 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7 |
C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe
| MD5 | 08defe80ace1f032875c8127ae5e4481 |
| SHA1 | 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4 |
| SHA256 | ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062 |
| SHA512 | 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7 |
\Users\Admin\AppData\Local\Temp\nso8161.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
memory/2484-81-0x00000000037A0000-0x0000000004417000-memory.dmp
memory/1136-82-0x0000000073ECD000-0x0000000073ED8000-memory.dmp
memory/2484-83-0x00000000037A0000-0x0000000004417000-memory.dmp
memory/1136-89-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2398AB6F.emf
| MD5 | a01b9617553432807b9b58025b338d97 |
| SHA1 | 439bdcc450408b9735b2428c2d53d2e6977fa58c |
| SHA256 | 7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce |
| SHA512 | 312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee |
memory/1136-104-0x0000000073ECD000-0x0000000073ED8000-memory.dmp