Overview

overview

10

Static

static

8

7af7596221...3.xlsm

windows7_x64

10

7af7596221...3.xlsm

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7af7596221989569fd75cd4ede98c88b661a2cb8d8011f52c6a5654a1487fe93.xlsm

  • Size

    48KB

  • MD5

    f3406ab209f8610badf05c1d36e6336b

  • SHA1

    4dd919c217d65147e9a8535f6c3cdc3b07f78e08

  • SHA256

    7af7596221989569fd75cd4ede98c88b661a2cb8d8011f52c6a5654a1487fe93

  • SHA512

    335af7a29732c74e071bb0f2e0ad2293b44a88c8e7120b5a7d25827139f9b6c23db6bc28dc6dc5538f90d7ff8e9cf059160949cf6aedc6d03aaf9a3611864bc1

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7af7596221989569fd75cd4ede98c88b661a2cb8d8011f52c6a5654a1487fe93.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1420
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
        2⤵
        • Process spawned unexpected child process
        PID:1300
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ren %tmp%\mm v&wSCRIPT %tmp%\v?..wsf  C
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Windows\SysWOW64\wscript.exe
          wSCRIPT C:\Users\Admin\AppData\Local\Temp\v?..wsf  C
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\SysWOW64\cscript.exe
              cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
              5⤵
                PID:924

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\mm
        Filesize

        983B

        MD5

        fde5e6528cf18d3aded95c861ac71f2c

        SHA1

        17b7229e5b2568987ecb0281d4d5e715458465c9

        SHA256

        f7cc30bbe11b915a22511ac3696ba2040cb0d6bdae4dd07280ec6f16ecb6bfb3

        SHA512

        d601fd98bf9761c3c39bd6764f428916221cee35cee982b4bdb1537cb29e5cfd18090e618a84d89ff20899b689a88bbdfd9438378a9307f2259cc131683e04cb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xx
        Filesize

        9KB

        MD5

        e79b3be9940df7089fe581ef9c1e7f03

        SHA1

        5bd474f8217ae1599c66cff77a6bdecddf9b1938

        SHA256

        1a1b52b650b414d63ef4bcfed13a37792d7c72c1c780a42a2d7f08e20f3b708b

        SHA512

        55f8912def840ac8e96bfcec83b868799c4503b642237cafd10d13f0773eaa496f65da2ac46de163ccf2b25c8c383026c974918f717be202da326cff57f3ace9

        Download Submit
      • C:\programdata\asc.txt:script1.vbs
        Filesize

        8KB

        MD5

        a1c4f0251804ced51750bb65df79a0ac

        SHA1

        a56a48365da02dc7a65e043361b3883e432fc29f

        SHA256

        757a396d7d2e6f1b81ca2469e16dc09b69fc2366999dd6771503f294f074a992

        SHA512

        b4da8e9469bc824af5d024ea3a62ba2e5c12c7d813acb2fdeae78a0394b49a3fcd8a43fb92731fa35dd7c847c37dfa5899affbc837a11eda60e678ea609017e9

        Download Submit
      • memory/872-57-0x000000007284D000-0x0000000072858000-memory.dmp
        Filesize

        44KB

        Download
      • memory/872-58-0x00000000768D1000-0x00000000768D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/872-54-0x000000002F921000-0x000000002F924000-memory.dmp
        Filesize

        12KB

        Download
      • memory/872-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/872-55-0x0000000071861000-0x0000000071863000-memory.dmp
        Filesize

        8KB

        Download
      • memory/904-62-0x0000000000000000-mapping.dmp
        Download
      • memory/924-69-0x0000000000000000-mapping.dmp
        Download
      • memory/992-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1300-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1420-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1420-71-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1928-68-0x0000000000000000-mapping.dmp
        Download