Analysis

  • max time kernel
    47s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 22:08

General

  • Target

    ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd.xls

  • Size

    715KB

  • MD5

    25222a9cd85a1d7f0916f4464b1e9980

  • SHA1

    c9d7c303bdf62d738cc047b45d1cbcdda11369f5

  • SHA256

    ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd

  • SHA512

    5cc9383762f6b934d6df972e7a7f8b8c5c2c0249307cfccc5fe382efb7e64306eef3f0c1eb34c0b82e9e27d2832ad2a3b3b25cf174d6433f88ddfaae9a7a04dd

  • SSDEEP

    12288:jRsUpcHnXXzNkRKFfsAqdlVDczXZejbeAQjSY4VTZoLtq57kWjuNMfK:jRsSc3DGUFfpqdUzXM/GjS/VTZoIP

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\3kb0oclfvpwt.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\y23d9haycy40.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\3kb0oclfvpwt.exe"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\3kb0oclfvpwt.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\y23d9haycy40.cs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21E2.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC32B8003583264E1D857751D5B2E5CAF.TMP"
          4⤵
            PID:1968
        • C:\Users\Admin\AppData\Roaming\Microsoft\3kb0oclfvpwt.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\3kb0oclfvpwt.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES21E2.tmp

      Filesize

      1KB

      MD5

      3e02e53b46c4102b7fb4ab0a64717d75

      SHA1

      9c3610c8c43fbfde471c6f00b226fdc60cced895

      SHA256

      709e4d29fa2ba0d2527271af9cc8787a8bbb2da8b465b84332c304390183efb6

      SHA512

      6edfffc3129d67906383c7f3e0f4d262535390c16931cd47c5527c3629af573674c6490852b719a3b2e06b2be67b440f3633327f08d2111a0e8484bd1b26f63b

    • \??\c:\Users\Admin\AppData\Roaming\Microsoft\CSC32B8003583264E1D857751D5B2E5CAF.TMP

      Filesize

      1KB

      MD5

      30031965f311599eb66dae8d34c4fa31

      SHA1

      b931c26d5834c9e043ffa030099b6d1743bb2bed

      SHA256

      e6ffadb9776ebb378c62ad4950c5de7fd33145b6d4abfcc3cc050c4e84e91854

      SHA512

      8ce18f5ba94d4fd7912b5bdff2e4aa6b861424d1f3cebccb1051613e38d5b7fcd26f27ba15964d1a55e5533a7841c9f2c0616130e8f0f990b2d2e9fa13dbe54c

    • \??\c:\Users\Admin\AppData\Roaming\Microsoft\y23d9haycy40.cs

      Filesize

      2KB

      MD5

      3d6a86624aed949ac6b72ecfac76ff6d

      SHA1

      bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94

      SHA256

      b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0

      SHA512

      b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae

    • \Users\Admin\AppData\Roaming\Microsoft\3kb0oclfvpwt.exe

      Filesize

      6KB

      MD5

      a2109afc2495b774745494b322d386f4

      SHA1

      963c2e94257cd9d554aa2ba727693a00125d9394

      SHA256

      3783578830391f8e9733337f06da896d360c937da8acdf4fea60604423c92ec1

      SHA512

      f9c5874757189252393ca20df6329393fb426d61befeb0532810256a4a004597b721a1c5c331f2022077e828af1321235e8df57f7bafa5a69282683bb21e5107

    • memory/2388-16-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-13-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-29-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-28-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-27-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-26-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-23-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-24-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-22-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-20-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-21-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-19-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-18-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-17-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2388-15-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-14-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-2-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-12-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-11-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-10-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-9-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-8-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-7-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-6-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-5-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-4-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-25-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-31-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-32-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-3-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-1-0x000000007258D000-0x0000000072598000-memory.dmp

      Filesize

      44KB

    • memory/2388-46-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2388-45-0x000000007258D000-0x0000000072598000-memory.dmp

      Filesize

      44KB

    • memory/2980-44-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

      Filesize

      32KB