3e5b04cddcb498e326ca7d8b33ebb059bee74be59e6bb45e4c9cbc41035ba926

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 21:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e3985f8c3913b62f0b13971cc422c4c.exe
Size

1.1MB
MD5

3e3985f8c3913b62f0b13971cc422c4c
SHA1

016fbc610241853411012588aa05a7c06bb9aa74
SHA256

3e5b04cddcb498e326ca7d8b33ebb059bee74be59e6bb45e4c9cbc41035ba926
SHA512

42b2896b0e459518453309d5aa210e995a2204deeeb533c1c274790252295f1360dbc973cc6e70afb6bed6a7793c285291ccbe6db5f00a60e00e22d47d6902c5
SSDEEP

24576:jRDH21jZx4yGr00CA+WfPNRlzL9EqnhUAjHqGomd5I2UsQyK0POem:jRHwjQyGtCA+WPN3fGAgmd5PU5YOem

Score

8^/10

macro

Malware Config

Signatures

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00090000000162d1-36.dat

Executes dropped EXE 1 IoCs

pid	Process
2184	3e3985f8c3913b62f0b13971cc422c4c.exe

Loads dropped DLL 4 IoCs

pid	Process
1592	3e3985f8c3913b62f0b13971cc422c4c.exe
1592	3e3985f8c3913b62f0b13971cc422c4c.exe
1592	3e3985f8c3913b62f0b13971cc422c4c.exe
2184	3e3985f8c3913b62f0b13971cc422c4c.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1592	3e3985f8c3913b62f0b13971cc422c4c.exe
2184	3e3985f8c3913b62f0b13971cc422c4c.exe
2648	3e3985f8c3913b62f0b13971cc422c4c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2184	1592	3e3985f8c3913b62f0b13971cc422c4c.exe	28
PID 1592 wrote to memory of 2184	1592	3e3985f8c3913b62f0b13971cc422c4c.exe	28
PID 1592 wrote to memory of 2184	1592	3e3985f8c3913b62f0b13971cc422c4c.exe	28
PID 1592 wrote to memory of 2184	1592	3e3985f8c3913b62f0b13971cc422c4c.exe	28
PID 2184 wrote to memory of 2648	2184	3e3985f8c3913b62f0b13971cc422c4c.exe	29
PID 2184 wrote to memory of 2648	2184	3e3985f8c3913b62f0b13971cc422c4c.exe	29
PID 2184 wrote to memory of 2648	2184	3e3985f8c3913b62f0b13971cc422c4c.exe	29
PID 2184 wrote to memory of 2648	2184	3e3985f8c3913b62f0b13971cc422c4c.exe	29

C:\Users\Admin\AppData\Local\Temp\3e3985f8c3913b62f0b13971cc422c4c.exe
"C:\Users\Admin\AppData\Local\Temp\3e3985f8c3913b62f0b13971cc422c4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\3e3985f8c3913b62f0b13971cc422c4c.exe
  "C:\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\3e3985f8c3913b62f0b13971cc422c4c.exe" cmd/CallFromZipBase /C:\Users\Admin\AppData\Local\Temp\3e3985f8c3913b62f0b13971cc422c4c.exe /69632 /112828 /228641 /1131850 /C:\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\ /0 /8993 /0 /
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\3e3985f8c3913b62f0b13971cc422c4c.exe
    "C:\Users\Admin\AppData\Local\Temp\3e3985f8c3913b62f0b13971cc422c4c.exe" cmd/del /C:\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\ /0 /0 /
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\FileAddZip.tmp

Filesize
881KB

MD5
2dd8c33ac260c39074bc5d44a36decd5

SHA1
b1367b1c8b00401320bd60d2854377b9613237d7

SHA256
b47fa774dd51f617412d5a4f3d2d832ed87fb17810cda588bc573adb56aa5e28

SHA512
3f95c210cd18a572fdc3d61ceb37052cbc7ee0b23955052a0c51b14d34b9b9b74109fda1cb76e3cd3cdedec880c431cf6d0d572a9eca278368735718c63e1dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\XLtoEXEtmp\JaarRooster.xlsm

Filesize
986KB

MD5
e3fd7813d901af80b9eaab3a037d33e2

SHA1
e308e4349b465c78f5b4e846effd93c2ceb400fe

SHA256
ecc0274e7f2a7ebd9a351625add6f31893f4d608e7aab21deed39484932f1f75

SHA512
d3b9f89fb3852a7560a51102dd75866e59ff779dbd819678b7262b7e9e0abb33ff82876bb6392b4ee78bc052b53fc049e1c972657c15fc9a66c0bb4b8ec61365

Download Submit
\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\3e3985f8c3913b62f0b13971cc422c4c.exe

Filesize
324KB

MD5
85191ce8108dd35e4fa4ced031e8db40

SHA1
c6ab377bbcf6a44786c100242695207e3d1f44fd

SHA256
55f1ef2fa4a682de432f8b06a56352f52d332277c4efdc76a35ca950bb4e6c2f

SHA512
a58313a59c871ecdca5c8d4d0e52c528f5f08d2a1cad4e094fe039a4fe42a412f08f8e2b06009a0de77b2a39f71f2bece50aa563f836a1f50b0494426ce942b4

Download Submit
\Users\Admin\AppData\Local\Temp\XLtoEXE231226211322_tmp\zlib123.dll

Filesize
72KB

MD5
4efaa53c545f4ffb1ee0ed1709c15ea7

SHA1
076b2d31e24fe8cfb56f9c292fd6ca1402be79b2

SHA256
21582b3a68e8753322a1b1c7e550ae7fd305de4935de68fbde9f87570f484d00

SHA512
7fa8c0954729ea14fdceb788393c3de6e139fc4c480b84183863f62afacec2d6bbc0993b601a4a74c87bc89338b627dc37a18be309d090bae880ea10ab9d7314

Download Submit