Overview

overview

8

Static

static

Simeco S.p.A.xls

windows7-x64

8

Simeco S.p.A.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    115s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2022, 11:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Simeco S.p.A.xls

  • Size

    285KB

  • MD5

    f911620da03d1a0823802a62ea14dd05

  • SHA1

    fc04fde755435abe408394e615d0826b341f217e

  • SHA256

    d3a83e36983a73c189d4c13431e71d468295ff3f3d7147b5e3122c42f18fa932

  • SHA512

    fad1cd84233939136768d69c82b22598dc9b54e9616c7c3051dc15b32238ae7cf7b3d1cf54ec8171d9dc83bb6c6213af51bd67406cd57238b1deb12fef2acf2d

  • SSDEEP

    6144:X3TmryppSyi3Fj23sx4wBnZ6kjAuO/sOTF8b2ED1+2vv8nKudv:nTmrypQyMRfxbnZ6kj6/L6ZDnluN

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Simeco S.p.A.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1416
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1792

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\vbc.exe
          Filesize

          1.0MB

          MD5

          9052d06c6ac53471f8496263f8fef2eb

          SHA1

          73016558c8353509b15cd757063816369e9abfa7

          SHA256

          736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582

          SHA512

          84837f8c708a8e51fcc611c3035c5676ff527d5b132398d935c77ac737035bef9c27dd6010188d6c96b7d1b02ff8dc41a3f50c487f42348bd0f3d016164fa7fc

          Download Submit

        • \Users\Public\vbc.exe
          Filesize

          1.0MB

          MD5

          9052d06c6ac53471f8496263f8fef2eb

          SHA1

          73016558c8353509b15cd757063816369e9abfa7

          SHA256

          736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582

          SHA512

          84837f8c708a8e51fcc611c3035c5676ff527d5b132398d935c77ac737035bef9c27dd6010188d6c96b7d1b02ff8dc41a3f50c487f42348bd0f3d016164fa7fc

          Download Submit

        • \Users\Public\vbc.exe
          Filesize

          1.0MB

          MD5

          9052d06c6ac53471f8496263f8fef2eb

          SHA1

          73016558c8353509b15cd757063816369e9abfa7

          SHA256

          736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582

          SHA512

          84837f8c708a8e51fcc611c3035c5676ff527d5b132398d935c77ac737035bef9c27dd6010188d6c96b7d1b02ff8dc41a3f50c487f42348bd0f3d016164fa7fc

          Download Submit

        • \Users\Public\vbc.exe
          Filesize

          1.0MB

          MD5

          9052d06c6ac53471f8496263f8fef2eb

          SHA1

          73016558c8353509b15cd757063816369e9abfa7

          SHA256

          736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582

          SHA512

          84837f8c708a8e51fcc611c3035c5676ff527d5b132398d935c77ac737035bef9c27dd6010188d6c96b7d1b02ff8dc41a3f50c487f42348bd0f3d016164fa7fc

          Download Submit

        • \Users\Public\vbc.exe
          Filesize

          1.0MB

          MD5

          9052d06c6ac53471f8496263f8fef2eb

          SHA1

          73016558c8353509b15cd757063816369e9abfa7

          SHA256

          736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582

          SHA512

          84837f8c708a8e51fcc611c3035c5676ff527d5b132398d935c77ac737035bef9c27dd6010188d6c96b7d1b02ff8dc41a3f50c487f42348bd0f3d016164fa7fc

          Download Submit

        • \Users\Public\vbc.exe
          Filesize

          1.0MB

          MD5

          9052d06c6ac53471f8496263f8fef2eb

          SHA1

          73016558c8353509b15cd757063816369e9abfa7

          SHA256

          736330aaa3a4683d3cc866153510763351a60062a236d22b12f4fe0f10853582

          SHA512

          84837f8c708a8e51fcc611c3035c5676ff527d5b132398d935c77ac737035bef9c27dd6010188d6c96b7d1b02ff8dc41a3f50c487f42348bd0f3d016164fa7fc

          Download Submit

        • memory/1416-58-0x0000000075E81000-0x0000000075E83000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1416-57-0x000000007227D000-0x0000000072288000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1416-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-54-0x000000002F731000-0x000000002F734000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1416-55-0x0000000071291000-0x0000000071293000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1416-68-0x000000007227D000-0x0000000072288000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1416-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-70-0x000000007227D000-0x0000000072288000-memory.dmp

          Filesize

          44KB

          Download