Overview

overview

10

Static

static

8

7ccf88c0bb...d4.zip

windows7-x64

1

7ccf88c0bb...d4.zip

windows10-2004-x64

1

ORDER SHEE...C.xlsm

windows7-x64

10

ORDER SHEE...C.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2023 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER SHEET & SPEC.xlsm

  • Size

    2.7MB

  • MD5

    7ccf88c0bbe3b29bf19d877c4596a8d4

  • SHA1

    23f0506d857d38c3cd5354b80afc725b5f034744

  • SHA256

    7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813

  • SHA512

    0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc

  • SSDEEP

    1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
      2⤵
      • Process spawned unexpected child process
      PID:2464
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\cMD.exe
      cMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf  C
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\wscript.exe
        WSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf  C
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\cscript.exe
            cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
            5⤵
              PID:2452

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\q
      Filesize

      15KB

      MD5

      ef556c44786a88cdf0f705ac03d9099a

      SHA1

      60bf4f1af100f94c98e3911b5f839d4a60dfc8f8

      SHA256

      6ce8f2114acac0ce2eed32d302a6a40185d3388caa722b0724da2aebdeabeb3c

      SHA512

      52fce99ab482bfccbadcd8a7738717ca6feab4e7a62f9c52872822073b4f4728f3aaa83cb55dd2818df0eb42994939d9fd48f7bce1326ba5ce5ecb5b2c625fcc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xx
      Filesize

      28KB

      MD5

      03d7df9993352270e6a5497b895e79a8

      SHA1

      2544c92e55977c6f6947b231cd4c0317faecc68b

      SHA256

      4779756453533076aee716817d417968f4c462e1868d1a6196006eea0c9b6e1b

      SHA512

      c50b58a4fd06dff7e7b7904111cf00e2b7b11fff05077f9a21d649d8e5858c73c79389b08570a40b353b456de5d38167145d0e7755df9b0c3cc3077e24c7b7fe

      Download Submit
    • C:\programdata\asc.txt:script1.vbs
      Filesize

      58KB

      MD5

      6196ce936b2131935e89615965438ed4

      SHA1

      5c3e5c8091139974fca038e10fc92c7f6e91a053

      SHA256

      2eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4

      SHA512

      9505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670

      Download Submit
    • memory/3044-12-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-10-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-11-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3044-13-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-9-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-17-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-19-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-1-0x000000007221D000-0x0000000072228000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3044-21-0x000000007221D000-0x0000000072228000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3044-22-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3044-23-0x0000000006740000-0x0000000006840000-memory.dmp
      Filesize

      1024KB

      Download