Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2023 06:47

General

  • Target

    order LX321.xls

  • Size

    1MB

  • MD5

    6d065053f461331ac2b2ea8c8b4fc135

  • SHA1

    7de9c1e44f4f64c3e698fbaeda05369edcafc6e7

  • SHA256

    3e4660d96763c73a97e3db9a085a19e389b6bd95928e5477e583fc0c42fbce53

  • SHA512

    d0d55eaca911178320c600bd410cc2c8f2f3c803d8865d428910b23583ccfb7252cab6667c5bfa9904a98172b4ae86c4caccebaf756130566e8d345eeb116cf6

  • SSDEEP

    24576:BWQmmav30xSZy6w6Vc6N6vZyZw6VV6NajOp7NkQTwh01TaPqwta:QQmmQ306+6VdkB6V0CoNLTtaSS

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\order LX321.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2228
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Roaming\TiWorker.exe
      "C:\Users\Admin\AppData\Roaming\TiWorker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28BF7153.emf
    Filesize

    1MB

    MD5

    a01b9617553432807b9b58025b338d97

    SHA1

    439bdcc450408b9735b2428c2d53d2e6977fa58c

    SHA256

    7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

    SHA512

    312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81339F3D.emf
    Filesize

    12MB

    MD5

    2f7fc0ab92f23fe5ce9938290f6effc8

    SHA1

    fd7b36d04c94c38c90d5a10b391e74bf6fbe9926

    SHA256

    3fd6eff1547ca422512cecc202e63a8522fa151432aeff83240ae52b5d35e960

    SHA512

    4a544dc20b05648fd5ea106c625f108303b05899e24a31c5449e6b25f991000541ef158dde1a0e6b50fb14d1443b9fcacf004997ae80599cb943df640524e9e5

  • C:\Users\Admin\AppData\Roaming\TiWorker.exe
    Filesize

    17KB

    MD5

    073a2998c2c49d6ae4d5284cfac60389

    SHA1

    5c1139c9c44557384ce115a90dae97654577a5e2

    SHA256

    c0061956b82a9efccd38d7e919139e10e9fd2d5effe84049b9058e92f00ea6e1

    SHA512

    c6de4363fdfb6a757d9b03776e5465564512ca4100a164a73751627595f30e8ea612987703623d98c5a54ad62468a742ba26a99057803759c74fa6ac003a0bde

  • C:\Users\Admin\AppData\Roaming\TiWorker.exe
    Filesize

    17KB

    MD5

    073a2998c2c49d6ae4d5284cfac60389

    SHA1

    5c1139c9c44557384ce115a90dae97654577a5e2

    SHA256

    c0061956b82a9efccd38d7e919139e10e9fd2d5effe84049b9058e92f00ea6e1

    SHA512

    c6de4363fdfb6a757d9b03776e5465564512ca4100a164a73751627595f30e8ea612987703623d98c5a54ad62468a742ba26a99057803759c74fa6ac003a0bde

  • C:\Users\Admin\AppData\Roaming\TiWorker.exe
    Filesize

    17KB

    MD5

    073a2998c2c49d6ae4d5284cfac60389

    SHA1

    5c1139c9c44557384ce115a90dae97654577a5e2

    SHA256

    c0061956b82a9efccd38d7e919139e10e9fd2d5effe84049b9058e92f00ea6e1

    SHA512

    c6de4363fdfb6a757d9b03776e5465564512ca4100a164a73751627595f30e8ea612987703623d98c5a54ad62468a742ba26a99057803759c74fa6ac003a0bde

  • \Users\Admin\AppData\Roaming\TiWorker.exe
    Filesize

    17KB

    MD5

    073a2998c2c49d6ae4d5284cfac60389

    SHA1

    5c1139c9c44557384ce115a90dae97654577a5e2

    SHA256

    c0061956b82a9efccd38d7e919139e10e9fd2d5effe84049b9058e92f00ea6e1

    SHA512

    c6de4363fdfb6a757d9b03776e5465564512ca4100a164a73751627595f30e8ea612987703623d98c5a54ad62468a742ba26a99057803759c74fa6ac003a0bde

  • memory/2228-29-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/2228-21-0x0000000072A0D000-0x0000000072A18000-memory.dmp
    Filesize

    44KB

  • memory/2228-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/2228-1-0x0000000072A0D000-0x0000000072A18000-memory.dmp
    Filesize

    44KB

  • memory/2228-42-0x0000000072A0D000-0x0000000072A18000-memory.dmp
    Filesize

    44KB

  • memory/2728-19-0x000000006C5B0000-0x000000006CC9E000-memory.dmp
    Filesize

    6MB

  • memory/2728-20-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
    Filesize

    256KB

  • memory/2728-22-0x000000006C5B0000-0x000000006CC9E000-memory.dmp
    Filesize

    6MB

  • memory/2728-23-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
    Filesize

    256KB

  • memory/2728-18-0x00000000012B0000-0x00000000012BA000-memory.dmp
    Filesize

    40KB