024ef55d8112d913021e2f8e38294052c40d177062afebc1b462f396c86c297b

Resubmissions

29/01/2024, 04:39

240129-e973taabe9 10

29/01/2024, 02:55

29/01/2024, 01:55

29/01/2024, 01:50

29/01/2024, 01:26

Analysis

max time kernel
188s
max time network
197s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
29/01/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

excel40macroschallenge.rar
Size

103KB
MD5

542ead021ed9ecab2f5b6ff0edaf2f74
SHA1

f1a509cb6dc15534a0b7ee29486789557a434941
SHA256

024ef55d8112d913021e2f8e38294052c40d177062afebc1b462f396c86c297b
SHA512

d2e1514a891db86ec6275ffcb6f44503cedf9e4560d200eeefc3fe047e08c7769de1892b92ee71fe4663720652eb509a55c29e24e82d6deb8dbe5a741cd9cb95
SSDEEP

1536:r6diRoyzKi0WAx5elOHwxvhuQcLE6/Q59VGqITfVuy03FD+/mUtzBxr:xutnmOQxvqEPHVZILVK1D+eUtX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	7zFM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2532	7zFM.exe
Token: 35	2532	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	7zFM.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 2532	204	cmd.exe	74
PID 204 wrote to memory of 2532	204	cmd.exe	74

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\excel40macroschallenge.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:204
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\excel40macroschallenge.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...