6f8debb6acde9b5b878188327ea348102cc125e8f72245f79fb39967821a91fa

General

Target

OMSMarineServices_order.xlsx
Size

466KB
MD5

24bd4a3d25c469bb138fb16e587dbf02
SHA1

563d37fde327ea4fb70fa3959079f72161711722
SHA256

6f8debb6acde9b5b878188327ea348102cc125e8f72245f79fb39967821a91fa
SHA512

cb05bdf0fb51ef2fe2a7f93f2c32f3a8ebe3c720642052c2cdc1eda9ba3c5bcd555187d890df5f41d83229d0081a874c1ae6c1e2252a30880dd1450cf1bbd883

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 2004 EQNEDT32.EXE
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1032 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2004 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	2004	EQNEDT32.EXE

pid	process
1032	vbc.exe

pid	process
2004	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2004 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2004	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

772 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exepowershell.exe

pid process

1032 vbc.exe
1032 vbc.exe
1724 powershell.exe
1724 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1032 vbc.exe
Token: SeDebugPrivilege 1724 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

772 EXCEL.EXE
772 EXCEL.EXE
772 EXCEL.EXE

pid	process
772	EXCEL.EXE

pid	process
1032	vbc.exe
1032	vbc.exe
1724	powershell.exe
1724	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1032	vbc.exe
Token: SeDebugPrivilege	1724	powershell.exe

pid	process
772	EXCEL.EXE
772	EXCEL.EXE
772	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 2004 wrote to memory of 1032	2004	EQNEDT32.EXE	vbc.exe
PID 2004 wrote to memory of 1032	2004	EQNEDT32.EXE	vbc.exe
PID 2004 wrote to memory of 1032	2004	EQNEDT32.EXE	vbc.exe
PID 2004 wrote to memory of 1032	2004	EQNEDT32.EXE	vbc.exe
PID 1032 wrote to memory of 1724	1032	vbc.exe	powershell.exe
PID 1032 wrote to memory of 1724	1032	vbc.exe	powershell.exe
PID 1032 wrote to memory of 1724	1032	vbc.exe	powershell.exe
PID 1032 wrote to memory of 1724	1032	vbc.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\OMSMarineServices_order.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:772

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\vbc.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
646779120efc366e99baa0192686792c

SHA1
e21d0d024da6b35e54eac701c90b842e7eee03fc

SHA256
dc3c1973fe3b70968950859dfeb566fd92b3a7eb50dcd3517fcb193202c3022b

SHA512
12b5f4d55c0bb23e7c169feb04147de174d05fd4fba8ed9293b5e40055a64832b48716127484bd4e6e77c0f4b9bd0a221a63eea661415243efd6d6e722bfa00c

Download Submit
C:\Users\Public\vbc.exe
MD5
646779120efc366e99baa0192686792c

SHA1
e21d0d024da6b35e54eac701c90b842e7eee03fc

SHA256
dc3c1973fe3b70968950859dfeb566fd92b3a7eb50dcd3517fcb193202c3022b

SHA512
12b5f4d55c0bb23e7c169feb04147de174d05fd4fba8ed9293b5e40055a64832b48716127484bd4e6e77c0f4b9bd0a221a63eea661415243efd6d6e722bfa00c

Download Submit
\Users\Public\vbc.exe
MD5
646779120efc366e99baa0192686792c

SHA1
e21d0d024da6b35e54eac701c90b842e7eee03fc

SHA256
dc3c1973fe3b70968950859dfeb566fd92b3a7eb50dcd3517fcb193202c3022b

SHA512
12b5f4d55c0bb23e7c169feb04147de174d05fd4fba8ed9293b5e40055a64832b48716127484bd4e6e77c0f4b9bd0a221a63eea661415243efd6d6e722bfa00c

Download Submit
memory/772-61-0x0000000071981000-0x0000000071983000-memory.dmp

Filesize
8KB

Download
memory/772-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/772-60-0x000000002F151000-0x000000002F154000-memory.dmp

Filesize
12KB

Download
memory/772-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1032-77-0x0000000004EC5000-0x0000000004ED6000-memory.dmp

Filesize
68KB

Download
memory/1032-68-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1032-70-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1032-71-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1032-65-0x0000000000000000-mapping.dmp

Download
memory/1032-73-0x0000000005B90000-0x0000000005C01000-memory.dmp

Filesize
452KB

Download
memory/1032-74-0x0000000005C10000-0x0000000005C79000-memory.dmp

Filesize
420KB

Download
memory/1724-75-0x0000000000000000-mapping.dmp

Download
memory/1724-83-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1724-78-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1724-79-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1724-80-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/1724-81-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1724-82-0x00000000011E2000-0x00000000011E3000-memory.dmp

Filesize
4KB

Download
memory/1724-116-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/1724-86-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/1724-91-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/1724-92-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1724-93-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/1724-100-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1724-101-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/1724-115-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/2004-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads