794a461bc31edd239cbcf6674f684cbcb4480c3408959b536ae79817a5746f22

General

Target

c3c5e6436dd5a4c69e2c814a17916a60e7d41dca2673334ffcbe7c14245a240d.xlsx
Size

1.3MB
MD5

cde25f0fe36009df516dd5429e1e257d
SHA1

a1efe73056cbac3852d3c4162f1763e0fef915a3
SHA256

c3c5e6436dd5a4c69e2c814a17916a60e7d41dca2673334ffcbe7c14245a240d
SHA512

674e35ed14037d8ecc08f3cccacf97c0f385a36dc4ffd25187d802a7fc0a267a2c56a2c39826c6c520589946adca72d10b611afec56285a4f011e50f7f865c6e
SSDEEP

24576:OZeECzadHbcd8uuA6Hf+fo5QORYobtpdBaPHZoCHdknG3rrGzsm:OZeECquv4f+EDW63bauCHGG3r+p

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1184	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1432	word.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	EQNEDT32.EXE
1184	EQNEDT32.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1184	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1168	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1432	1184	EQNEDT32.EXE	30
PID 1184 wrote to memory of 1432	1184	EQNEDT32.EXE	30
PID 1184 wrote to memory of 1432	1184	EQNEDT32.EXE	30
PID 1184 wrote to memory of 1432	1184	EQNEDT32.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c3c5e6436dd5a4c69e2c814a17916a60e7d41dca2673334ffcbe7c14245a240d.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Roaming\word.exe
  C:\Users\Admin\AppData\Roaming\word.exe
  2⤵
  - Executes dropped EXE
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\word.exe

Filesize
798KB

MD5
883fafa7566aa63f901894e573cbaa62

SHA1
b5deee5b11ede4638a9245d8627672191acc9780

SHA256
a98868f0c3748d841f36b146b3f08636808225e97092620c41ad39b479ffb209

SHA512
f43f9f0049c1dc57369612f0b41da02cf6c88f2fc4ba974a2f6e736dd1d8c6b21294192abef2591743e5bc08644c785fcabb7023406c99066b8db514ed554642

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
798KB

MD5
883fafa7566aa63f901894e573cbaa62

SHA1
b5deee5b11ede4638a9245d8627672191acc9780

SHA256
a98868f0c3748d841f36b146b3f08636808225e97092620c41ad39b479ffb209

SHA512
f43f9f0049c1dc57369612f0b41da02cf6c88f2fc4ba974a2f6e736dd1d8c6b21294192abef2591743e5bc08644c785fcabb7023406c99066b8db514ed554642

Download Submit
\Users\Admin\AppData\Roaming\word.exe

Filesize
798KB

MD5
883fafa7566aa63f901894e573cbaa62

SHA1
b5deee5b11ede4638a9245d8627672191acc9780

SHA256
a98868f0c3748d841f36b146b3f08636808225e97092620c41ad39b479ffb209

SHA512
f43f9f0049c1dc57369612f0b41da02cf6c88f2fc4ba974a2f6e736dd1d8c6b21294192abef2591743e5bc08644c785fcabb7023406c99066b8db514ed554642

Download Submit
\Users\Admin\AppData\Roaming\word.exe

Filesize
798KB

MD5
883fafa7566aa63f901894e573cbaa62

SHA1
b5deee5b11ede4638a9245d8627672191acc9780

SHA256
a98868f0c3748d841f36b146b3f08636808225e97092620c41ad39b479ffb209

SHA512
f43f9f0049c1dc57369612f0b41da02cf6c88f2fc4ba974a2f6e736dd1d8c6b21294192abef2591743e5bc08644c785fcabb7023406c99066b8db514ed554642

Download Submit
memory/1168-57-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/1168-60-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/1168-58-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1168-54-0x000000002FF21000-0x000000002FF24000-memory.dmp

Filesize
12KB

Download
memory/1168-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1168-55-0x0000000071C11000-0x0000000071C13000-memory.dmp

Filesize
8KB

Download
memory/1432-66-0x0000000000B90000-0x0000000000C5C000-memory.dmp

Filesize
816KB

Download
memory/1432-68-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing