132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d

General

Target

MV FORTUNE TRADER.xlsx
Size

2.4MB
MD5

b9d2e20a706f5dccd80cbfca09685732
SHA1

b3d2b8eaa620398c83ff203c3c705d03dad55288
SHA256

132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d
SHA512

4c03476532bf33d64c42c9d2758ec1b55812869881586d83bd76b7f0887c2333cf0e71867fbe87cedaa6d985cc448612ce4e3df0a2a8dad177f5afe94faae66a

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1724 EQNEDT32.EXE
8 1724 EQNEDT32.EXE
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1724 EQNEDT32.EXE

flow	pid	process
6	1724	EQNEDT32.EXE
8	1724	EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1724	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

296 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1724 EQNEDT32.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

296 EXCEL.EXE
296 EXCEL.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

296 EXCEL.EXE
296 EXCEL.EXE
296 EXCEL.EXE
296 EXCEL.EXE

pid	process
296	EXCEL.EXE

pid	process
1724	EQNEDT32.EXE

pid	process
296	EXCEL.EXE
296	EXCEL.EXE

pid	process
296	EXCEL.EXE
296	EXCEL.EXE
296	EXCEL.EXE
296	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\MV FORTUNE TRADER.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:296

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious behavior: GetForegroundWindowSpam
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-2-0x000000002F851000-0x000000002F854000-memory.dmp

Filesize
12KB

Download
memory/296-3-0x0000000071771000-0x0000000071773000-memory.dmp

Filesize
8KB

Download
memory/296-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/880-6-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

Filesize
2.5MB

Download
memory/1724-5-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1724-7-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing