Analysis

  • max time kernel
    60s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 21:08

General

  • Target

    27c6cf2923f57d8add450f2c8a37c8b242e5a707f90d7dee4498f42d18c2e064.xls

  • Size

    715KB

  • MD5

    80de205919577fea74c6f325dee78829

  • SHA1

    edc3a56394a3a3940f16efb1fb43147d16fbf92c

  • SHA256

    27c6cf2923f57d8add450f2c8a37c8b242e5a707f90d7dee4498f42d18c2e064

  • SHA512

    9f8e31aa87d63794cfc1779c2fa6c27dd687adcd5212d628531f6be6d201896e9a82191d11c057f8e52d518d4d005451d28c282cbe129be22ae7ca78e42e3906

  • SSDEEP

    12288:aRsUpcHnXXzNkRKFfsAqdlVDczXZejbeAQjSY4VTZoLtq57kWjuNMfK:aRsSc3DGUFfpqdUzXM/GjS/VTZoIP

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\27c6cf2923f57d8add450f2c8a37c8b242e5a707f90d7dee4498f42d18c2e064.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\xsdmlbgm3u8i.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\tb5z7g55j2gp.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\xsdmlbgm3u8i.exe"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\xsdmlbgm3u8i.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\tb5z7g55j2gp.cs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A73.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC69B2003885664EC3B5D84BA13B706AF5.TMP"
          4⤵
            PID:2540
        • C:\Users\Admin\AppData\Roaming\Microsoft\xsdmlbgm3u8i.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\xsdmlbgm3u8i.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES1A73.tmp

      Filesize

      1KB

      MD5

      e2cbcd36cb137e7df66c178918034ce9

      SHA1

      82ff6c39ecfbe3d0ddc711309f582a82de1a0d64

      SHA256

      1b7b56d256be107c7b210d657df5ec9f43d9934e7e3fdbc7c19633583f8443d6

      SHA512

      115001eb155b1ac7a6a1c6e6ab70d2dd24cf7b32c22869919c68abdcceb3b3f406f8e0d2f4a2e709574792839f19797b8c06754a1003cb1cf9bc155b15409ad8

    • \??\c:\Users\Admin\AppData\Roaming\Microsoft\CSC69B2003885664EC3B5D84BA13B706AF5.TMP

      Filesize

      1KB

      MD5

      7c22fb9a324d32c603b37b9cc6be1e6f

      SHA1

      e13fd676198703248f16f49f1e612eff8b0db997

      SHA256

      398c1d9da133d50bcf48fa2c0607ed313922410a134232f221f2e1d0c8bca7a5

      SHA512

      dfcf29c5ab4ab9117b3f68296cedc73d2713623e6094de535f709c8bb1f0bb81d041a9ac4fc94c4196526bb111151098d51462b34bd34d3055f72ceaf4e2ddbc

    • \??\c:\Users\Admin\AppData\Roaming\Microsoft\tb5z7g55j2gp.cs

      Filesize

      2KB

      MD5

      3d6a86624aed949ac6b72ecfac76ff6d

      SHA1

      bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94

      SHA256

      b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0

      SHA512

      b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae

    • \Users\Admin\AppData\Roaming\Microsoft\xsdmlbgm3u8i.exe

      Filesize

      6KB

      MD5

      e1a2bea739e0941384fbe6e1187ca3d7

      SHA1

      b024dbdae4e09f5447da018b9de8834f37b84277

      SHA256

      cc21b9cd57fc8c38ee1a84fdcf8d72cebe7a291791da17b604de3cc30f80c032

      SHA512

      08afc26b3facc5ff71ac4a0d07891d234a4fca6e4f9e95536efc0f8befeaad56972472a40043cbf48bcdfc96858724d43420670142b229c4a68ace88e69aac52

    • memory/2424-44-0x00000000001F0000-0x00000000001F8000-memory.dmp

      Filesize

      32KB

    • memory/2924-18-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-13-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-27-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-31-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-30-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-28-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-26-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-25-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-24-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-23-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-22-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-21-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-20-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2924-17-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-15-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-14-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-29-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-12-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-11-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-10-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-9-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-8-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-7-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-6-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-5-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-16-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-3-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-2-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-4-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2924-1-0x00000000722CD000-0x00000000722D8000-memory.dmp

      Filesize

      44KB

    • memory/2924-45-0x00000000722CD000-0x00000000722D8000-memory.dmp

      Filesize

      44KB

    • memory/2924-46-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB