a53db45f1d4a2f36ebc0b0e268d2073baba89ca6c1d05fe9a06ef395e8658a51

General

Target

ORDER SHEET & SPEC.xlsm
Size

2.7MB
MD5

7ccf88c0bbe3b29bf19d877c4596a8d4
SHA1

23f0506d857d38c3cd5354b80afc725b5f034744
SHA256

7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
SHA512

0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
SSDEEP

1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cscript.execscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4504	5068	cscript.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3952	5068	cscript.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

cscript.execscript.exe

flow pid process

22 4504 cscript.exe
472 3952 cscript.exe

flow	pid	process
22	4504	cscript.exe
472	3952	cscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cscript.execscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 3 IoCs

Processes:

EXCEL.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{0E9FCA31-9141-497C-8E36-EAC1FA784A26}\q:Zone.Identifier	EXCEL.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{0E9FCA31-9141-497C-8E36-EAC1FA784A26}\xx:Zone.Identifier	EXCEL.EXE
File opened for modification	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	472	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

5068 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

5068 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

5068 EXCEL.EXE
5068 EXCEL.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXE

pid	process
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE
5068	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 5068 wrote to memory of 4504	5068	EXCEL.EXE	cscript.exe
PID 5068 wrote to memory of 4504	5068	EXCEL.EXE	cscript.exe
PID 5068 wrote to memory of 3952	5068	EXCEL.EXE	cscript.exe
PID 5068 wrote to memory of 3952	5068	EXCEL.EXE	cscript.exe
PID 5068 wrote to memory of 4488	5068	EXCEL.EXE	splwow64.exe
PID 5068 wrote to memory of 4488	5068	EXCEL.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
PID:4504

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
PID:3952

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Podaliri4.exe
Filesize
1KB

MD5
47172e62787300b279ae2e1d21763c81

SHA1
8bc8206ab37105da07312f4d39d8e57cc9763e00

SHA256
258682bcb3d7d927aaf47bfe1c01788db1f0cda4bf2240001e5e7408a6f559ae

SHA512
f0bf41eb9fee1533766b37b9f09ca80ca1bc690d43cdf0c39aeeaaeb9a5a2b4ca0b2a978a76988b485547566b619600100f6845cfa7cff2da87abed247d19418

Download Submit
C:\programdata\asc.txt:script1.vbs
Filesize
58KB

MD5
6196ce936b2131935e89615965438ed4

SHA1
5c3e5c8091139974fca038e10fc92c7f6e91a053

SHA256
2eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4

SHA512
9505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670

Download Submit
memory/5068-22-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-9-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-52-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-7-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-8-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmp

Filesize
64KB

Download
memory/5068-3-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-1-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmp

Filesize
64KB

Download
memory/5068-40-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-11-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-12-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-10-0x00007FF809560000-0x00007FF809570000-memory.dmp

Filesize
64KB

Download
memory/5068-13-0x00007FF809560000-0x00007FF809570000-memory.dmp

Filesize
64KB

Download
memory/5068-0-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmp

Filesize
64KB

Download
memory/5068-15-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-16-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-17-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-18-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-19-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-20-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-21-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-14-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-6-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmp

Filesize
64KB

Download
memory/5068-5-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-55-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-4-0x00007FF80BBB0000-0x00007FF80BBC0000-memory.dmp

Filesize
64KB

Download
memory/5068-56-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-2-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-71-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-72-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-73-0x00007FF84BB30000-0x00007FF84BD25000-memory.dmp

Filesize
2.0MB

Download
memory/5068-74-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-75-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-76-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-77-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-86-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-98-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-101-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-103-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-104-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-105-0x000002295A2D0000-0x000002295AAD0000-memory.dmp

Filesize
8.0MB

Download
memory/5068-106-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download
memory/5068-107-0x000002295B850000-0x000002295C820000-memory.dmp

Filesize
15.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads