Analysis
-
max time kernel
212s -
max time network
215s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
26-03-2023 02:59
General
-
Target
ORDER SHEET & SPEC.xlsm
-
Size
2.7MB
-
MD5
7ccf88c0bbe3b29bf19d877c4596a8d4
-
SHA1
23f0506d857d38c3cd5354b80afc725b5f034744
-
SHA256
7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
-
SHA512
0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
-
SSDEEP
1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 3 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.0.702654577\145570501" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff2f44ec-cda7-48f8-8b78-0fd5d9f585a0} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 1764 20408816858 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.1.1468959739\181354978" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eafbea1-84cd-4b3b-b4f8-d38d51f58de5} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 2104 2047bf71f58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.2.1778441881\1332521415" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2764 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6bcfb45-ad58-4463-9f7e-b88ee7999353} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 2740 2040b637058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.3.1244132885\198920022" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3180 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b3a6900-0490-4444-b7a5-ec7f6c5bf92b} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 3508 2040c707158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.4.1590031727\528628922" -childID 3 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2611510f-8f96-42f8-b524-2fcca7d5b0d2} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 3928 2040cc69e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.5.10665328\1538723216" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4820 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b0249a8-ee62-4fb2-a7c8-888650a5b200} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 4824 20409bd7e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.6.1535772598\328434981" -childID 5 -isForBrowser -prefsHandle 4796 -prefMapHandle 4868 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c838f2c5-f3d0-4815-b35b-17fd4098ed1c} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 4548 20409bd4858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.7.1114612168\1721317993" -childID 6 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c2e5ab8-2bab-4d06-baf0-66e6654bb559} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 4824 20409bd5158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.8.1520493165\1024642414" -childID 7 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27bc0928-7796-4fd4-acbe-354c0eb2e5da} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 4300 2040e007a58 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmpFilesize
146KB
MD56a29b4839a658fbf5e582c2700d20d5a
SHA1602772efb21bc7985988f89f47d1701ee4a06592
SHA256892f649c836c6e1a912712d7f415dd8e9232de8155393457e43db610bb41804f
SHA5124378c7c89b70e173b2643c2db7d769839e6fd259dc2469d81c958d88f97ba674ac59d06e099964f0f9c36b178aaa22c28b5cf8d2246099fa17cc78062814b319
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.jsFilesize
6KB
MD5fc03769491e92557713bff75b3dcae44
SHA1a4f4687575dba8a950a014c93d8f9f086a2b68d6
SHA2563e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375
SHA5128e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD5dcb571e3f887b773fe22ebd720801a73
SHA1437813070db591c0e343222d761ac4e8ed486102
SHA256be20ca6868efaa4fbfa4d102c35a1c85ed38e83436a14d07ebf4b4d6b0286eed
SHA512d918ce4e14c6894f9a6c0fc283b19ccbda9eaf69dc9bc4b65558a9de18a74841ddae50ff53da585e5e453f9fa17f4da0e5937fd317b1376ad9037299dcedf199
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5d02ba692473537d1215acf0163c0b080
SHA1885b6fdee9aa85e2852d61c35498041d6d923be5
SHA256775d7da61e7c7d7ac4f82bf013f2c894524abd006f23e37e259ad920c6e9bdc1
SHA5121c5314266a9420bbe25a2b930796880686beb2eb1b98267ba937927aae5cebb3ab5bb5b081dd6b5643bac3aa4f3bb7b2c9c072a8746cac4107460d666d10fe95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD5a3948e41d2174f625e74f03b6443d19b
SHA1ebc26d7fd2f672b8e7b9bfc276e87d9926bbef33
SHA256161e0394a581c8fe798bbd3ed6ef02820cf8f0df9aa13db288ef10cd36c96bdb
SHA512f8674349020fc45b01e2cea8a4dbb27e31cbf6bb85cd85a8f5adbe5877c588987ec5ba41de90dcb88699943a18dcba639e8f13be164e4bdcdb7229cabd19eeee
-
C:\programdata\asc.txt:script1.vbsFilesize
58KB
MD56196ce936b2131935e89615965438ed4
SHA15c3e5c8091139974fca038e10fc92c7f6e91a053
SHA2562eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4
SHA5129505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670
-
memory/1736-134-0x00007FFA48E90000-0x00007FFA48EA0000-memory.dmpFilesize
64KB
-
memory/1736-425-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-122-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-338-0x000002D2CE690000-0x000002D2CE721000-memory.dmpFilesize
580KB
-
memory/1736-423-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-424-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-426-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-258-0x000002D2CE690000-0x000002D2CE721000-memory.dmpFilesize
580KB
-
memory/1736-427-0x000002D2CE690000-0x000002D2CE721000-memory.dmpFilesize
580KB
-
memory/1736-121-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-133-0x00007FFA48E90000-0x00007FFA48EA0000-memory.dmpFilesize
64KB
-
memory/1736-124-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/1736-123-0x00007FFA4BAA0000-0x00007FFA4BAB0000-memory.dmpFilesize
64KB
-
memory/4904-317-0x000001C79EBA0000-0x000001C79EC31000-memory.dmpFilesize
580KB