b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware-sample-library-master/APT28 FancyBear/APT28DropperExcelDoc.xls
Size

1.1MB
MD5

5debb3535cba6615526c64e44d0f5e2b
SHA1

abaa744d9504c7f23a237f8220ac6a441016d518
SHA256

5bac7a020f173d6c35f73d76cd3745a36564dbb3dd32f2d5fc5021c353e76a54
SHA512

4435f4deebc2f03c3a5659d1a870699d22fdb52525829373cf3bc0592db04da967e14f1e3f001b1cc0b974f8bddb96887480bcb7f14f3172caba1382866676c0
SSDEEP

12288:/bkdb1vJu/xtIIcnIE9A3HfOoV+4qF2KhaLZA6H/EHagqNC9:TkdbVJupvSmHfOoaF2KhaLZTx89

Score

10^/10

defense_evasion discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2900	840	certutil.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2780	Z4U8K1S8.exe

Loads dropped DLL 2 IoCs

pid	Process
840	EXCEL.EXE
840	EXCEL.EXE

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2900	certutil.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z4U8K1S8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
840	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	Z4U8K1S8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
840	EXCEL.EXE
840	EXCEL.EXE
840	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2900	840	EXCEL.EXE	31
PID 840 wrote to memory of 2900	840	EXCEL.EXE	31
PID 840 wrote to memory of 2900	840	EXCEL.EXE	31
PID 840 wrote to memory of 2900	840	EXCEL.EXE	31
PID 840 wrote to memory of 2780	840	EXCEL.EXE	33
PID 840 wrote to memory of 2780	840	EXCEL.EXE	33
PID 840 wrote to memory of 2780	840	EXCEL.EXE	33
PID 840 wrote to memory of 2780	840	EXCEL.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DropperExcelDoc.xls"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe
  2⤵
  - Process spawned unexpected child process
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt

Filesize
691KB

MD5
1b330a7f7cc348ce408c10b64c79a5e8

SHA1
e82ee9c54b78df69404f3fa75f8a3f703b72cb70

SHA256
4e77c794ccd2cb3a0139ce07f70e170b15bc1e618ac6959797cec889048b5005

SHA512
7a077b90802e020edbd545ed5726f1339052422026d9f3438592c35099ce1b168a8d2d2a6f3845ecb6422f54f388611f53c013ddaec74182ab98b7bd6b35682e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

Filesize
518KB

MD5
ba78410702f0cc8453da1afbb2a8b670

SHA1
1083245ac66d4261f526d18d4eac79a7dbd72989

SHA256
9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91

SHA512
7433785795c68faa74b2d34b734cf4c4564940fbe21cb9ddd6c0251378455a9ded4595055059d42b73e8cdbfe59f16b4b4d4100fcca94a440bb9520f4572f74b

Download Submit
memory/840-46-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-28-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-37-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-36-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/840-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/840-44-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-38-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-47-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/840-29-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-1-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/840-54-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/840-55-0x0000000006400000-0x0000000006500000-memory.dmp

Filesize
1024KB

Download
memory/840-56-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download