e01c99c34b581a13f712ab7f5c5d01dd34a06c74fb05bc638aee86552173c787

General

Target

QUOTATION.xlam
Size

614KB
MD5

50a1039bea7bf6220fd06559c0a5be20
SHA1

91c6d52784cf54457cc5cdb67ef2d3f404100786
SHA256

e01c99c34b581a13f712ab7f5c5d01dd34a06c74fb05bc638aee86552173c787
SHA512

21589d2183af49ad2e27d1bfd18cfcd898b8c87388c691589e4201eb9d1a7373873640ca1935798ecd5be4b75209a67b26d219e069aab66d8c55f20f64a3004f
SSDEEP

12288:r/guhDtOw8C/QFomz+KZXkPQ/WJTAp1ux+8hgjRbCNP4s:r4Ycw8gNQZCo/ul+9RbYPt

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2984	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2984	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2548	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2236	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2236	EXCEL.EXE
2236	EXCEL.EXE
2236	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1488	2984	EQNEDT32.EXE	33
PID 2984 wrote to memory of 1488	2984	EQNEDT32.EXE	33
PID 2984 wrote to memory of 1488	2984	EQNEDT32.EXE	33
PID 2984 wrote to memory of 1488	2984	EQNEDT32.EXE	33
PID 1488 wrote to memory of 1960	1488	WScript.exe	34
PID 1488 wrote to memory of 1960	1488	WScript.exe	34
PID 1488 wrote to memory of 1960	1488	WScript.exe	34
PID 1488 wrote to memory of 1960	1488	WScript.exe	34
PID 1960 wrote to memory of 2548	1960	cmd.exe	36
PID 1960 wrote to memory of 2548	1960	cmd.exe	36
PID 1960 wrote to memory of 2548	1960	cmd.exe	36
PID 1960 wrote to memory of 2548	1960	cmd.exe	36
PID 1960 wrote to memory of 2832	1960	cmd.exe	37
PID 1960 wrote to memory of 2832	1960	cmd.exe	37
PID 1960 wrote to memory of 2832	1960	cmd.exe	37
PID 1960 wrote to memory of 2832	1960	cmd.exe	37
PID 2832 wrote to memory of 2812	2832	cmd.exe	38
PID 2832 wrote to memory of 2812	2832	cmd.exe	38
PID 2832 wrote to memory of 2812	2832	cmd.exe	38
PID 2832 wrote to memory of 2812	2832	cmd.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\QUOTATION.xlam
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nhwwtjdrt.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\nhwwtjdrt.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "RRLPLUBipJ".vbs')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\nhwwtjdrt.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "RRLPLUBipJ".vbs')"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\nhwwtjdrt.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "RRLPLUBipJ".vbs')
        5⤵
        Drops file in System32 directory
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nhwwtjdrt.vbs

Filesize
341KB

MD5
f29c576dafde535cca1e48bc52efc6d9

SHA1
336ec58fd0680ad912f02ce22d94d0fdbe7cd659

SHA256
83cfa32b8cd64b96f7b79f23371174ad566fa823d59c3ec4f8d0f953b7f7b24a

SHA512
12c5a4bce23ff2251824f388a8151cc76db33c6e27106deeb4bb7869d050d6c81df7b756b4227225e4f63cb3ef0343900ca6e0a4d06ad07757ef78bebbd894c4

Download Submit
C:\Users\Admin\AppData\Roaming\nhwwtjdrt.vbs

Filesize
341KB

MD5
f29c576dafde535cca1e48bc52efc6d9

SHA1
336ec58fd0680ad912f02ce22d94d0fdbe7cd659

SHA256
83cfa32b8cd64b96f7b79f23371174ad566fa823d59c3ec4f8d0f953b7f7b24a

SHA512
12c5a4bce23ff2251824f388a8151cc76db33c6e27106deeb4bb7869d050d6c81df7b756b4227225e4f63cb3ef0343900ca6e0a4d06ad07757ef78bebbd894c4

Download Submit
memory/2236-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-1-0x000000007238D000-0x0000000072398000-memory.dmp

Filesize
44KB

Download
memory/2236-2-0x000000007238D000-0x0000000072398000-memory.dmp

Filesize
44KB

Download
memory/2236-11-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-12-0x000000007238D000-0x0000000072398000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing