40b5ae97c036d45073b6edfcabbd4f5fe1a577d2e21f57282c09ebe2d32b7492

General

Target

Invoice_41292673.xlsm
Size

72KB
MD5

50269b5e8f60e3847888544e68368f3c
SHA1

3b8d2e2087d1936a6dd08013ef1c8a344dbc3515
SHA256

40b5ae97c036d45073b6edfcabbd4f5fe1a577d2e21f57282c09ebe2d32b7492
SHA512

ed2731137742827c315b2447072a40c5e0970b790397a8e43bbb5c94a4739fadd41046965b268ce2a390a9b2d2a95304df461dd8ea890a99d1613b698d3fa747

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1300	1832	mshta.exe	EXCEL.EXE

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

6 1300 mshta.exe
8 1300 mshta.exe
10 1300 mshta.exe
12 1300 mshta.exe
14 1300 mshta.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
6	1300	mshta.exe
8	1300	mshta.exe
10	1300	mshta.exe
12	1300	mshta.exe
14	1300	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1832 EXCEL.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXE

pid process

1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE

pid	process
1832	EXCEL.EXE

pid	process
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEmshta.exe

description	pid	process	target process
PID 1832 wrote to memory of 1300	1832	EXCEL.EXE	mshta.exe
PID 1832 wrote to memory of 1300	1832	EXCEL.EXE	mshta.exe
PID 1832 wrote to memory of 1300	1832	EXCEL.EXE	mshta.exe
PID 1832 wrote to memory of 1300	1832	EXCEL.EXE	mshta.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe
PID 1300 wrote to memory of 928	1300	mshta.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_41292673.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\mshta.exe
mshta C:\ProgramData//theArrowHeadWidthMedium.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\ProgramData\qMacrosheetCell.dll,AddLookaside
3⤵
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qMacrosheetCell.dll
MD5
4eaf02c6e7ea048e3764e33f03ed2dca

SHA1
53cec5dcb05631f058d59c8b9cfc00f228bbd3f2

SHA256
29311dabf4eb8d373c363cf8f36accc33f36148415d9d2034f67f67356802d0d

SHA512
522226fa94b3558a1488d6000c9d22a4449f181fb00012d1a4f9b2fa0168de0b9dd593fd31cbee3ed330956f193eeab7f5ccce152a3e54c1d1c08fb5a8b7407b

Download Submit
C:\ProgramData\theArrowHeadWidthMedium.sct
MD5
51b13f4b56ba397816961014310ca8a0

SHA1
04534df3ed3cf696e4933f0bb1f99cffe4e6d4c5

SHA256
dbe391199095cc0b06885c1f5133f1ec23d8cdc48ba9973997b0ffa14ef369ab

SHA512
c71817fc6a3b58e7d132445d55530055cb7726b0294a5536b0ce0a42cdd90b756fffb1c2bf41d3b96b5c897b4e1cda68bebcf0686cf4cda62244e895d40719b9

Download Submit
memory/928-65-0x0000000000000000-mapping.dmp

Download
memory/928-66-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1300-63-0x0000000000000000-mapping.dmp

Download
memory/1832-60-0x000000002FCE1000-0x000000002FCE4000-memory.dmp

Filesize
12KB

Download
memory/1832-61-0x0000000070E31000-0x0000000070E33000-memory.dmp

Filesize
8KB

Download
memory/1832-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads