Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2023, 07:39

General

  • Target

    new-order PI-No202307110.XLS.docx

  • Size

    11KB

  • MD5

    ed203e9a95bb5aed220c02e3e41840aa

  • SHA1

    5b90a10971c35a3f45e58e122c0e25e4049cbb98

  • SHA256

    4338ea7febcb6a73ff3a463dc3ff90d8330bfd2cd6d5f760dfe5516c74bdba69

  • SHA512

    9aeafbe447f47a30ebea465fc759f5dc27fb18c49ac5ff34d23075f04f4943f2f95a56a462840c0e12a5636b1cf937308f8041359bc43a00c9e34e5f3cf3c2be

  • SSDEEP

    192:mya0NnReBWk4N5eNA2A+EnVs+mg1SoBOJYaO36PvdrK16LvnY93cWeszUyDjB:myXnReBWku5+A2bkBdBOJYaOqPg6Lw9Z

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 1 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new-order PI-No202307110.XLS.docx"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1696
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Roaming\kobee951587.exe
        "C:\Users\Admin\AppData\Roaming\kobee951587.exe"
        2⤵
        • Checks QEMU agent file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2900

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7B4EB0C-F852-428F-9695-617BEB7A8938}.FSD

            Filesize

            128KB

            MD5

            0d1f62481159ff870f99ccf6d45aa30a

            SHA1

            3b3b33a5d4811f472dd7d8f04bf11dda7ed33449

            SHA256

            157ac81271ab3a6aea7c6d3fb73a1fa257cc8e2a8069087806cfcce839460da6

            SHA512

            25ac83f6ae390ec051218600c2c8c290a992950fb0348d5a179d75ca2e24931205baf9a13d9ccd81d7b271157a07407f77614d458d98fbb286afccac7819af5a

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7B4EB0C-F852-428F-9695-617BEB7A8938}.FSD

            Filesize

            128KB

            MD5

            b20b6cc5acd993a22506b2966c172667

            SHA1

            eb6468ad3456bbfc4da1c852e5d1f323dd731d53

            SHA256

            f787bfb84e7311fcf4352066feef9916728145c78eed08606d95687607cd5b36

            SHA512

            7ffcdbfdabbaef08b2b97293ba199d5d72ce995ced792693f95adaa123e2697d8bf2b5618a42adf511cd00b878116130c9b3ea69897d183469567bfb2f155a15

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

            Filesize

            128KB

            MD5

            53d8fe731b94b4da46e059d1636f0098

            SHA1

            4229d4df9cf633b7fefa01874f24d8b6f2fb16af

            SHA256

            a7aa14cdb47f54f3de32587cc95c493d93d2412626903b589c1848d08a627bf8

            SHA512

            0e17695ed1e034ceaf077c42b95fc100d10c5445c664a6a4e5ff2e32386de9f0aaaf1d3461bafdd3787a05a90cca08101d052214d9931fadb44c7bdea21637d5

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\kobeezx[1].doc

            Filesize

            80KB

            MD5

            822ca31c5b8abc31d5b81fa02278907f

            SHA1

            a105e79b85f8bb3c7c66a50af1c7b3f8a21ef5ea

            SHA256

            8b5a7b79e5537e3f9bc64570f0671948ca33f7a8c979e74be718669c1e20f075

            SHA512

            05bb5930df8265a49fee5fd31c12b9fcef94d96280fa7725a737c42f2821831759fe8b8410adc7729c50d0f73936d214a34a4bafc2c255adfa0d964b8a31d3bb

          • C:\Users\Admin\AppData\Local\Temp\nsoD5C7.tmp\System.dll

            Filesize

            11KB

            MD5

            9625d5b1754bc4ff29281d415d27a0fd

            SHA1

            80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

            SHA256

            c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

            SHA512

            dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

          • C:\Users\Admin\AppData\Local\Temp\{BD83628D-EAAB-4663-BFF0-A927DF68FFCA}

            Filesize

            128KB

            MD5

            14332caff184fd188a5c0445ca069986

            SHA1

            b1d1dbb282ae2f0db016bc20814576207f6b352d

            SHA256

            e09d30c4b14a7fcc334c243676e1a12f0509c49734b3164c57c4704246ee4a42

            SHA512

            59e8dd567a95d749c97a0f0e5ba31505d0dbfffbb268d4b711fae9959b07b3eb3d883030b4f4f242e7fd1e2044f0cfef10f665a2689bcc3ea4024f9595e0c4a7

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            36d5589496aab235dac498d692b997fa

            SHA1

            921c32739e3b756c48e88f7369b2168ff125aba7

            SHA256

            7b838896ab9b3d9a560785f172eb2c36115ff1b5229d0990aa48beb30e2fa2f9

            SHA512

            3c047ec4773bb0acd83d6af120fcfd8220afc69656f40054b29016fac579540fe612f16ee88ff0351df53b85531f3d1be572f9de04464ce4ca11758cf688bcbf

          • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • C:\Users\Admin\AppData\Roaming\kobee951587.exe

            Filesize

            476KB

            MD5

            f9523a569eaa47e6ce6dc10c9b07117b

            SHA1

            01859c3360b613e1d8663b8edb702bea32ef65cc

            SHA256

            2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185

            SHA512

            453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b

          • C:\Users\Admin\AppData\Roaming\kobee951587.exe

            Filesize

            476KB

            MD5

            f9523a569eaa47e6ce6dc10c9b07117b

            SHA1

            01859c3360b613e1d8663b8edb702bea32ef65cc

            SHA256

            2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185

            SHA512

            453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b

          • C:\Users\Admin\AppData\Roaming\kobee951587.exe

            Filesize

            476KB

            MD5

            f9523a569eaa47e6ce6dc10c9b07117b

            SHA1

            01859c3360b613e1d8663b8edb702bea32ef65cc

            SHA256

            2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185

            SHA512

            453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b

          • \Users\Admin\AppData\Local\Temp\nsoD5C7.tmp\System.dll

            Filesize

            11KB

            MD5

            9625d5b1754bc4ff29281d415d27a0fd

            SHA1

            80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

            SHA256

            c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

            SHA512

            dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

          • \Users\Admin\AppData\Local\Temp\nsoD5C7.tmp\System.dll

            Filesize

            11KB

            MD5

            9625d5b1754bc4ff29281d415d27a0fd

            SHA1

            80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

            SHA256

            c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

            SHA512

            dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

          • \Users\Admin\AppData\Roaming\kobee951587.exe

            Filesize

            476KB

            MD5

            f9523a569eaa47e6ce6dc10c9b07117b

            SHA1

            01859c3360b613e1d8663b8edb702bea32ef65cc

            SHA256

            2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185

            SHA512

            453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b

          • memory/1708-54-0x000000002F830000-0x000000002F98D000-memory.dmp

            Filesize

            1.4MB

          • memory/1708-209-0x00000000718ED000-0x00000000718F8000-memory.dmp

            Filesize

            44KB

          • memory/1708-56-0x00000000718ED000-0x00000000718F8000-memory.dmp

            Filesize

            44KB

          • memory/1708-178-0x000000002F830000-0x000000002F98D000-memory.dmp

            Filesize

            1.4MB

          • memory/1708-179-0x00000000718ED000-0x00000000718F8000-memory.dmp

            Filesize

            44KB

          • memory/1708-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/1708-208-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2900-180-0x0000000002CD0000-0x00000000052F6000-memory.dmp

            Filesize

            38.1MB

          • memory/2900-183-0x0000000002CD0000-0x00000000052F6000-memory.dmp

            Filesize

            38.1MB

          • memory/2900-182-0x0000000077D00000-0x0000000077DD6000-memory.dmp

            Filesize

            856KB

          • memory/2900-181-0x0000000077B10000-0x0000000077CB9000-memory.dmp

            Filesize

            1.7MB

          • memory/2900-168-0x0000000002CD0000-0x00000000052F6000-memory.dmp

            Filesize

            38.1MB