a53db45f1d4a2f36ebc0b0e268d2073baba89ca6c1d05fe9a06ef395e8658a51

General

Target

ORDER SHEET & SPEC.xlsm
Size

2.7MB
MD5

7ccf88c0bbe3b29bf19d877c4596a8d4
SHA1

23f0506d857d38c3cd5354b80afc725b5f034744
SHA256

7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
SHA512

0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
SSDEEP

1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2672	2544	cscript.exe	EXCEL.EXE

Blocklisted process makes network request 4 IoCs

Processes:

cscript.execscript.exe

flow pid process

3 2672 cscript.exe
4 2672 cscript.exe
5 2472 cscript.exe
6 2472 cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2932 EQNEDT32.EXE
NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2544 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

2544 EXCEL.EXE
2544 EXCEL.EXE
2544 EXCEL.EXE
2544 EXCEL.EXE
2544 EXCEL.EXE
2544 EXCEL.EXE

flow	pid	process
3	2672	cscript.exe
4	2672	cscript.exe
5	2472	cscript.exe
6	2472	cscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2932	EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

pid	process
2544	EXCEL.EXE

pid	process
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EQNEDT32.EXEcMD.exeEXCEL.EXEwscript.execmd.exe

description	pid	process	target process
PID 2932 wrote to memory of 2824	2932	EQNEDT32.EXE	cMD.exe
PID 2932 wrote to memory of 2824	2932	EQNEDT32.EXE	cMD.exe
PID 2932 wrote to memory of 2824	2932	EQNEDT32.EXE	cMD.exe
PID 2932 wrote to memory of 2824	2932	EQNEDT32.EXE	cMD.exe
PID 2824 wrote to memory of 2896	2824	cMD.exe	wscript.exe
PID 2824 wrote to memory of 2896	2824	cMD.exe	wscript.exe
PID 2824 wrote to memory of 2896	2824	cMD.exe	wscript.exe
PID 2824 wrote to memory of 2896	2824	cMD.exe	wscript.exe
PID 2544 wrote to memory of 2672	2544	EXCEL.EXE	cscript.exe
PID 2544 wrote to memory of 2672	2544	EXCEL.EXE	cscript.exe
PID 2544 wrote to memory of 2672	2544	EXCEL.EXE	cscript.exe
PID 2544 wrote to memory of 2672	2544	EXCEL.EXE	cscript.exe
PID 2896 wrote to memory of 2736	2896	wscript.exe	cmd.exe
PID 2896 wrote to memory of 2736	2896	wscript.exe	cmd.exe
PID 2896 wrote to memory of 2736	2896	wscript.exe	cmd.exe
PID 2896 wrote to memory of 2736	2896	wscript.exe	cmd.exe
PID 2736 wrote to memory of 2472	2736	cmd.exe	cscript.exe
PID 2736 wrote to memory of 2472	2736	cmd.exe	cscript.exe
PID 2736 wrote to memory of 2472	2736	cmd.exe	cscript.exe
PID 2736 wrote to memory of 2472	2736	cmd.exe	cscript.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:2672

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\cMD.exe
cMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf C
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\wscript.exe
WSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C
3⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
5⤵
- Blocklisted process makes network request
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\q
Filesize
15KB

MD5
ef556c44786a88cdf0f705ac03d9099a

SHA1
60bf4f1af100f94c98e3911b5f839d4a60dfc8f8

SHA256
6ce8f2114acac0ce2eed32d302a6a40185d3388caa722b0724da2aebdeabeb3c

SHA512
52fce99ab482bfccbadcd8a7738717ca6feab4e7a62f9c52872822073b4f4728f3aaa83cb55dd2818df0eb42994939d9fd48f7bce1326ba5ce5ecb5b2c625fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx
Filesize
28KB

MD5
03d7df9993352270e6a5497b895e79a8

SHA1
2544c92e55977c6f6947b231cd4c0317faecc68b

SHA256
4779756453533076aee716817d417968f4c462e1868d1a6196006eea0c9b6e1b

SHA512
c50b58a4fd06dff7e7b7904111cf00e2b7b11fff05077f9a21d649d8e5858c73c79389b08570a40b353b456de5d38167145d0e7755df9b0c3cc3077e24c7b7fe

Download Submit
C:\programdata\asc.txt:script1.vbs
Filesize
58KB

MD5
6196ce936b2131935e89615965438ed4

SHA1
5c3e5c8091139974fca038e10fc92c7f6e91a053

SHA256
2eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4

SHA512
9505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670

Download Submit
memory/2544-13-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-12-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-11-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-10-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-14-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-4-0x000000007393D000-0x0000000073948000-memory.dmp

Filesize
44KB

Download
memory/2544-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-17-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-20-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-1-0x000000007393D000-0x0000000073948000-memory.dmp

Filesize
44KB

Download
memory/2544-22-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2544-23-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing