Analysis
-
max time kernel
1626s -
max time network
1169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
11-02-2024 16:57
Behavioral task
behavioral1
Sample
ORDER SHEET & SPEC.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ORDER SHEET & SPEC.xlsm
Resource
win10v2004-20231222-en
General
-
Target
ORDER SHEET & SPEC.xlsm
-
Size
2.7MB
-
MD5
7ccf88c0bbe3b29bf19d877c4596a8d4
-
SHA1
23f0506d857d38c3cd5354b80afc725b5f034744
-
SHA256
7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
-
SHA512
0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
-
SSDEEP
1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.execscript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4504 5068 cscript.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3952 5068 cscript.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
cscript.execscript.exeflow pid process 22 4504 cscript.exe 472 3952 cscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.execscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 3 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{0E9FCA31-9141-497C-8E36-EAC1FA784A26}\q:Zone.Identifier EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0E9FCA31-9141-497C-8E36-EAC1FA784A26}\xx:Zone.Identifier EXCEL.EXE File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 472 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 5068 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
EXCEL.EXEpid process 5068 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 5068 EXCEL.EXE 5068 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
EXCEL.EXEpid process 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE 5068 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 5068 wrote to memory of 4504 5068 EXCEL.EXE cscript.exe PID 5068 wrote to memory of 4504 5068 EXCEL.EXE cscript.exe PID 5068 wrote to memory of 3952 5068 EXCEL.EXE cscript.exe PID 5068 wrote to memory of 3952 5068 EXCEL.EXE cscript.exe PID 5068 wrote to memory of 4488 5068 EXCEL.EXE splwow64.exe PID 5068 wrote to memory of 4488 5068 EXCEL.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Podaliri4.exeFilesize
1KB
MD547172e62787300b279ae2e1d21763c81
SHA18bc8206ab37105da07312f4d39d8e57cc9763e00
SHA256258682bcb3d7d927aaf47bfe1c01788db1f0cda4bf2240001e5e7408a6f559ae
SHA512f0bf41eb9fee1533766b37b9f09ca80ca1bc690d43cdf0c39aeeaaeb9a5a2b4ca0b2a978a76988b485547566b619600100f6845cfa7cff2da87abed247d19418
-
C:\programdata\asc.txt:script1.vbsFilesize
58KB
MD56196ce936b2131935e89615965438ed4
SHA15c3e5c8091139974fca038e10fc92c7f6e91a053
SHA2562eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4
SHA5129505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670
-
memory/5068-22-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-9-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-52-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-7-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-8-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmpFilesize
64KB
-
memory/5068-3-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-1-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmpFilesize
64KB
-
memory/5068-40-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-11-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-12-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-10-0x00007FF809560000-0x00007FF809570000-memory.dmpFilesize
64KB
-
memory/5068-13-0x00007FF809560000-0x00007FF809570000-memory.dmpFilesize
64KB
-
memory/5068-0-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmpFilesize
64KB
-
memory/5068-15-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-16-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-17-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-18-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-19-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-20-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-21-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-14-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-6-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmpFilesize
64KB
-
memory/5068-5-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-55-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-4-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmpFilesize
64KB
-
memory/5068-56-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-2-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-71-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-72-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-73-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmpFilesize
2.0MB
-
memory/5068-74-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-75-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-76-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-77-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-86-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-98-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-101-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-103-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-104-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-105-0x000002295A2D0000-0x000002295AAD0000-memory.dmpFilesize
8.0MB
-
memory/5068-106-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB
-
memory/5068-107-0x000002295B850000-0x000002295C820000-memory.dmpFilesize
15.8MB