Overview

overview

10

Static

static

8

ORDER SHEE...C.xlsm

windows7-x64

10

ORDER SHEE...C.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    1798s
  • max time network
    1563s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-02-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER SHEET & SPEC.xlsm

  • Size

    2.7MB

  • MD5

    7ccf88c0bbe3b29bf19d877c4596a8d4

  • SHA1

    23f0506d857d38c3cd5354b80afc725b5f034744

  • SHA256

    7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813

  • SHA512

    0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc

  • SSDEEP

    1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:2592
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2100
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\cMD.exe
        cMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf  C
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\wscript.exe
          WSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf  C
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\SysWOW64\cscript.exe
              cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
              5⤵
              • Blocklisted process makes network request
              PID:2660

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\q
      Filesize

      15KB

      MD5

      ef556c44786a88cdf0f705ac03d9099a

      SHA1

      60bf4f1af100f94c98e3911b5f839d4a60dfc8f8

      SHA256

      6ce8f2114acac0ce2eed32d302a6a40185d3388caa722b0724da2aebdeabeb3c

      SHA512

      52fce99ab482bfccbadcd8a7738717ca6feab4e7a62f9c52872822073b4f4728f3aaa83cb55dd2818df0eb42994939d9fd48f7bce1326ba5ce5ecb5b2c625fcc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xx
      Filesize

      28KB

      MD5

      03d7df9993352270e6a5497b895e79a8

      SHA1

      2544c92e55977c6f6947b231cd4c0317faecc68b

      SHA256

      4779756453533076aee716817d417968f4c462e1868d1a6196006eea0c9b6e1b

      SHA512

      c50b58a4fd06dff7e7b7904111cf00e2b7b11fff05077f9a21d649d8e5858c73c79389b08570a40b353b456de5d38167145d0e7755df9b0c3cc3077e24c7b7fe

      Download Submit
    • C:\programdata\asc.txt:script1.vbs
      Filesize

      58KB

      MD5

      6196ce936b2131935e89615965438ed4

      SHA1

      5c3e5c8091139974fca038e10fc92c7f6e91a053

      SHA256

      2eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4

      SHA512

      9505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670

      Download Submit
    • memory/2296-11-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-10-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-9-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-13-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2296-18-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-1-0x00000000720FD000-0x0000000072108000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2296-16-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-20-0x00000000720FD000-0x0000000072108000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2296-21-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2296-22-0x0000000000370000-0x0000000000470000-memory.dmp
      Filesize

      1024KB

      Download