Analysis

  • max time kernel
    46s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 21:01

General

  • Target

    427513c6e926fc67016a526c42facadfa808daf63d5c7cff7d3f9db34f03c0a0.xls

  • Size

    715KB

  • MD5

    e7236f3218970ac3539474a3be8107c0

  • SHA1

    0bb76c01e0f1cb2cf41e9d41bd2610224338367d

  • SHA256

    427513c6e926fc67016a526c42facadfa808daf63d5c7cff7d3f9db34f03c0a0

  • SHA512

    6634d0a50385d54d2b5565fe040fad7827b4066dd7f865993f904f7c12040e933e0ccc8d0c25bf3feac0565e62089ea1b8cd3abd7ced4fd285433d8b66c52f74

  • SSDEEP

    12288:3RsUpcHnXXzNkRKFfsAqdlVDczXZejbeAQjSY4VTZoLtq57kWjuNMfK:3RsSc3DGUFfpqdUzXM/GjS/VTZoIP

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\427513c6e926fc67016a526c42facadfa808daf63d5c7cff7d3f9db34f03c0a0.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\rjgapo6xq4ry.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\m29mbtug6cz4.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\rjgapo6xq4ry.exe"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\rjgapo6xq4ry.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\m29mbtug6cz4.cs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C80.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC3864E30C48BA4714BDF8C34CB79ECE7.TMP"
          4⤵
            PID:2884
        • C:\Users\Admin\AppData\Roaming\Microsoft\rjgapo6xq4ry.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\rjgapo6xq4ry.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES7C80.tmp

      Filesize

      1KB

      MD5

      a00e4ed397fb5da5811d155ff7b859e1

      SHA1

      b0b2235f9f6655815f6f537093d42cf3f53ef211

      SHA256

      12f171189e37d356487aa8068db40ca68deb9fda0aa45ef1563019201b0a5be0

      SHA512

      aa23c1394d0202bb1da84a3ab4fbc1895b8c1c64d865963a35e3c14d4ebb4663f7bfb43b76f637ea05291f3a4f78aea48fed8145706d780f1d86c2dc3cb5004b

    • \??\c:\Users\Admin\AppData\Roaming\Microsoft\CSC3864E30C48BA4714BDF8C34CB79ECE7.TMP

      Filesize

      1KB

      MD5

      ad6ee490cec8222373877a00999755ce

      SHA1

      cdab227b38d1e90ab8938881c6ad58b7af8bf3bf

      SHA256

      c4009f50d21533b7eea8b3fe4e7d117de95593a6013f2b6919845680384508e2

      SHA512

      6e20eeaeeeb0affe0ccfbc6691aa3749b1ba20e369a320b4e7166c2eb4c532e0793366b5ddc1c93987cf18d96fd8896f64f2aaf182f67f9be71abe2df0b01b68

    • \??\c:\Users\Admin\AppData\Roaming\Microsoft\m29mbtug6cz4.cs

      Filesize

      2KB

      MD5

      3d6a86624aed949ac6b72ecfac76ff6d

      SHA1

      bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94

      SHA256

      b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0

      SHA512

      b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae

    • \Users\Admin\AppData\Roaming\Microsoft\rjgapo6xq4ry.exe

      Filesize

      6KB

      MD5

      3df49fadc71f487e3865bc40fc554849

      SHA1

      80f65288b52a75e1eab8c44ffe5b42d86a3ebc06

      SHA256

      e79534b811b4a0fbbf3b791cb3e925f3ee4f1e92d4e731bfd9095152c161a84b

      SHA512

      ed49f60f1bf8112126a6d3c189daf04029983e231d2481a7f2c570300d7b224495f1dda23a30d7b2db394570bafec7fe55dfd01c401bb33e67c01c2fef129da3

    • memory/320-44-0x00000000008E0000-0x00000000008E8000-memory.dmp

      Filesize

      32KB

    • memory/2984-24-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-19-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-21-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-7-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-6-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-5-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-10-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-30-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-29-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-28-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-26-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-27-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-25-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2984-23-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-22-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-20-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-8-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-18-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-17-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-15-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-14-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-13-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-12-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-9-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-4-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-2-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-11-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-32-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-3-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB

    • memory/2984-1-0x0000000072AFD000-0x0000000072B08000-memory.dmp

      Filesize

      44KB

    • memory/2984-45-0x0000000072AFD000-0x0000000072B08000-memory.dmp

      Filesize

      44KB

    • memory/2984-46-0x00000000006C0000-0x00000000007C0000-memory.dmp

      Filesize

      1024KB