3bb7c47aa4dbab2d785c8058555788595be24c6c021fe03fd6b2ecce8730dff1

General

Target

55467CY.xlsm
Size

2.8MB
MD5

736c9bf1bbf0332f1acf1967fc1470e7
SHA1

40a3360c60fc0714581e5b32c7f6c3b7727da2f0
SHA256

3bb7c47aa4dbab2d785c8058555788595be24c6c021fe03fd6b2ecce8730dff1
SHA512

b5ed20a6421cead68f2d0ad43f680172b695cbd8a0c1234f8be9cea21c360130095131f8f8fe1fe2c60355beab49cf60b909176b31031ab15f1bb1ee0bc63990

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1136	596	cscript.exe	EXCEL.EXE

Blacklisted process makes network request 4 IoCs

Processes:

cscript.execscript.exe

flow pid process

5 1136 cscript.exe
6 1136 cscript.exe
7 1552 cscript.exe
8 1552 cscript.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1416 EQNEDT32.EXE

flow	pid	process
5	1136	cscript.exe
6	1136	cscript.exe
7	1552	cscript.exe
8	1552	cscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1416	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\programdata\asc.txt:script1.vbs EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

596 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

596 EXCEL.EXE
596 EXCEL.EXE
596 EXCEL.EXE

description	ioc	process
File created	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

pid	process
596	EXCEL.EXE

pid	process
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EQNEDT32.EXEcmd.exeEXCEL.EXEwscript.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 1548	1416	EQNEDT32.EXE	cmd.exe
PID 1416 wrote to memory of 1548	1416	EQNEDT32.EXE	cmd.exe
PID 1416 wrote to memory of 1548	1416	EQNEDT32.EXE	cmd.exe
PID 1416 wrote to memory of 1548	1416	EQNEDT32.EXE	cmd.exe
PID 1548 wrote to memory of 756	1548	cmd.exe	wscript.exe
PID 1548 wrote to memory of 756	1548	cmd.exe	wscript.exe
PID 1548 wrote to memory of 756	1548	cmd.exe	wscript.exe
PID 1548 wrote to memory of 756	1548	cmd.exe	wscript.exe
PID 596 wrote to memory of 1136	596	EXCEL.EXE	cscript.exe
PID 596 wrote to memory of 1136	596	EXCEL.EXE	cscript.exe
PID 596 wrote to memory of 1136	596	EXCEL.EXE	cscript.exe
PID 596 wrote to memory of 1136	596	EXCEL.EXE	cscript.exe
PID 756 wrote to memory of 832	756	wscript.exe	cmd.exe
PID 756 wrote to memory of 832	756	wscript.exe	cmd.exe
PID 756 wrote to memory of 832	756	wscript.exe	cmd.exe
PID 756 wrote to memory of 832	756	wscript.exe	cmd.exe
PID 832 wrote to memory of 1552	832	cmd.exe	cscript.exe
PID 832 wrote to memory of 1552	832	cmd.exe	cscript.exe
PID 832 wrote to memory of 1552	832	cmd.exe	cscript.exe
PID 832 wrote to memory of 1552	832	cmd.exe	cscript.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\55467CY.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" C:\programdata\asc.txt:script1.vbs
2⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
PID:1136

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c REn %tmp%\q v& WsCrIpT %tmp%\v?..wsf C
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\wscript.exe
WsCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C
3⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
5⤵
- Blacklisted process makes network request
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\q
MD5
2c71ad890a32569a4b550c08c0861b0b

SHA1
e46d93575d2cf63ab180fabfbe00a907a760bde6

SHA256
3bb59dd037b3301cd3da143505f6afda1f7375520b5c603f433448d3824321a2

SHA512
31a89a754caa806e59840ef31816c9e40e4ed68a3b8343f7237e7ab35f42abef7f9042c71eea3d9a98a37c45cf0e44637bcfb73bb5ece663ad5e341e532b694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx
MD5
d91cb2e96a98fffe2026a86da0d9b33f

SHA1
1aa4f6c6cad9f88cc94e1d070d3d39c40b7bef2b

SHA256
a41e03554adfdd012b2ba71308c8f6659a6678779877f77126d9578c1221e778

SHA512
b95009cfed6ef1600d0c6cb30a4e9118539be6438a9039d113399b8b752f24c315c91d989c1fbb512adf579d55cc6bb4a1a764fa680a8da45518497cc15b99d6

Download Submit
C:\programdata\asc.txt:script1.vbs
MD5
f1dd122be3ca4cd8c9ae1655b19d3f8b

SHA1
10d651834a3f41cfe6e3ccdf88b7f45cdf5cc748

SHA256
d08d66c0b0ab25e27c1046f60627cc12ba3ff95a7561c1f6f51544f951adfe34

SHA512
8976d0dadb81374794a7bcecd361e26d7a96e64685a917b3602a71788b3bb85cff2ceff4c803b14b7a3927f91488c3caffcdb12069b4b2bcc706fe0394aaf4c8

Download Submit
memory/756-2-0x0000000000000000-mapping.dmp

Download
memory/756-8-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/832-6-0x0000000000000000-mapping.dmp

Download
memory/1136-5-0x0000000000000000-mapping.dmp

Download
memory/1136-10-0x0000000002540000-0x0000000002544000-memory.dmp

Filesize
16KB

Download
memory/1548-0-0x0000000000000000-mapping.dmp

Download
memory/1552-9-0x0000000000000000-mapping.dmp

Download
memory/1552-11-0x0000000002650000-0x0000000002654000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads