Analysis
-
max time kernel
236s -
max time network
182s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
24-11-2022 15:39
Behavioral task
behavioral1
Sample
ORDER SHEET & SPEC.xlsm
Resource
win10-20220901-en
General
-
Target
ORDER SHEET & SPEC.xlsm
-
Size
2.7MB
-
MD5
7ccf88c0bbe3b29bf19d877c4596a8d4
-
SHA1
23f0506d857d38c3cd5354b80afc725b5f034744
-
SHA256
7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
-
SHA512
0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
-
SSDEEP
1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 600 4744 cscript.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 34 600 cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
NTFS ADS 3 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{2D08B504-8FE4-4A3E-8143-643D618BD3C1}\q:Zone.Identifier EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{2D08B504-8FE4-4A3E-8143-643D618BD3C1}\xx:Zone.Identifier EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4744 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE 4744 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 4744 wrote to memory of 600 4744 EXCEL.EXE cscript.exe PID 4744 wrote to memory of 600 4744 EXCEL.EXE cscript.exe PID 4744 wrote to memory of 4888 4744 EXCEL.EXE splwow64.exe PID 4744 wrote to memory of 4888 4744 EXCEL.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\asc.txt:script1.vbsFilesize
58KB
MD56196ce936b2131935e89615965438ed4
SHA15c3e5c8091139974fca038e10fc92c7f6e91a053
SHA2562eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4
SHA5129505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670
-
memory/600-294-0x0000000000000000-mapping.dmp
-
memory/4744-120-0x00007FFBD4570000-0x00007FFBD4580000-memory.dmpFilesize
64KB
-
memory/4744-121-0x00007FFBD4570000-0x00007FFBD4580000-memory.dmpFilesize
64KB
-
memory/4744-122-0x00007FFBD4570000-0x00007FFBD4580000-memory.dmpFilesize
64KB
-
memory/4744-123-0x00007FFBD4570000-0x00007FFBD4580000-memory.dmpFilesize
64KB
-
memory/4744-132-0x00007FFBD1780000-0x00007FFBD1790000-memory.dmpFilesize
64KB
-
memory/4744-133-0x00007FFBD1780000-0x00007FFBD1790000-memory.dmpFilesize
64KB
-
memory/4888-302-0x0000000000000000-mapping.dmp