Analysis
-
max time kernel
70s -
max time network
28s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 10:03
Static task
static1
Behavioral task
behavioral1
Sample
55467CY.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
55467CY.xlsm
Resource
win10v20201028
General
-
Target
55467CY.xlsm
-
Size
2.8MB
-
MD5
736c9bf1bbf0332f1acf1967fc1470e7
-
SHA1
40a3360c60fc0714581e5b32c7f6c3b7727da2f0
-
SHA256
3bb7c47aa4dbab2d785c8058555788595be24c6c021fe03fd6b2ecce8730dff1
-
SHA512
b5ed20a6421cead68f2d0ad43f680172b695cbd8a0c1234f8be9cea21c360130095131f8f8fe1fe2c60355beab49cf60b909176b31031ab15f1bb1ee0bc63990
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1136 596 cscript.exe EXCEL.EXE -
Blacklisted process makes network request 4 IoCs
Processes:
cscript.execscript.exeflow pid process 5 1136 cscript.exe 6 1136 cscript.exe 7 1552 cscript.exe 8 1552 cscript.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE 596 EXCEL.EXE 596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EQNEDT32.EXEcmd.exeEXCEL.EXEwscript.execmd.exedescription pid process target process PID 1416 wrote to memory of 1548 1416 EQNEDT32.EXE cmd.exe PID 1416 wrote to memory of 1548 1416 EQNEDT32.EXE cmd.exe PID 1416 wrote to memory of 1548 1416 EQNEDT32.EXE cmd.exe PID 1416 wrote to memory of 1548 1416 EQNEDT32.EXE cmd.exe PID 1548 wrote to memory of 756 1548 cmd.exe wscript.exe PID 1548 wrote to memory of 756 1548 cmd.exe wscript.exe PID 1548 wrote to memory of 756 1548 cmd.exe wscript.exe PID 1548 wrote to memory of 756 1548 cmd.exe wscript.exe PID 596 wrote to memory of 1136 596 EXCEL.EXE cscript.exe PID 596 wrote to memory of 1136 596 EXCEL.EXE cscript.exe PID 596 wrote to memory of 1136 596 EXCEL.EXE cscript.exe PID 596 wrote to memory of 1136 596 EXCEL.EXE cscript.exe PID 756 wrote to memory of 832 756 wscript.exe cmd.exe PID 756 wrote to memory of 832 756 wscript.exe cmd.exe PID 756 wrote to memory of 832 756 wscript.exe cmd.exe PID 756 wrote to memory of 832 756 wscript.exe cmd.exe PID 832 wrote to memory of 1552 832 cmd.exe cscript.exe PID 832 wrote to memory of 1552 832 cmd.exe cscript.exe PID 832 wrote to memory of 1552 832 cmd.exe cscript.exe PID 832 wrote to memory of 1552 832 cmd.exe cscript.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\55467CY.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REn %tmp%\q v& WsCrIpT %tmp%\v?..wsf C2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWsCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\xx.vbs5⤵
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qMD5
2c71ad890a32569a4b550c08c0861b0b
SHA1e46d93575d2cf63ab180fabfbe00a907a760bde6
SHA2563bb59dd037b3301cd3da143505f6afda1f7375520b5c603f433448d3824321a2
SHA51231a89a754caa806e59840ef31816c9e40e4ed68a3b8343f7237e7ab35f42abef7f9042c71eea3d9a98a37c45cf0e44637bcfb73bb5ece663ad5e341e532b694b
-
C:\Users\Admin\AppData\Local\Temp\xxMD5
d91cb2e96a98fffe2026a86da0d9b33f
SHA11aa4f6c6cad9f88cc94e1d070d3d39c40b7bef2b
SHA256a41e03554adfdd012b2ba71308c8f6659a6678779877f77126d9578c1221e778
SHA512b95009cfed6ef1600d0c6cb30a4e9118539be6438a9039d113399b8b752f24c315c91d989c1fbb512adf579d55cc6bb4a1a764fa680a8da45518497cc15b99d6
-
C:\programdata\asc.txt:script1.vbsMD5
f1dd122be3ca4cd8c9ae1655b19d3f8b
SHA110d651834a3f41cfe6e3ccdf88b7f45cdf5cc748
SHA256d08d66c0b0ab25e27c1046f60627cc12ba3ff95a7561c1f6f51544f951adfe34
SHA5128976d0dadb81374794a7bcecd361e26d7a96e64685a917b3602a71788b3bb85cff2ceff4c803b14b7a3927f91488c3caffcdb12069b4b2bcc706fe0394aaf4c8
-
memory/756-2-0x0000000000000000-mapping.dmp
-
memory/756-8-0x0000000002750000-0x0000000002754000-memory.dmpFilesize
16KB
-
memory/832-6-0x0000000000000000-mapping.dmp
-
memory/1136-5-0x0000000000000000-mapping.dmp
-
memory/1136-10-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1548-0-0x0000000000000000-mapping.dmp
-
memory/1552-9-0x0000000000000000-mapping.dmp
-
memory/1552-11-0x0000000002650000-0x0000000002654000-memory.dmpFilesize
16KB