Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 01:54
Behavioral task
behavioral1
Sample
ORDER SHEET & SPEC.xlsm
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ORDER SHEET & SPEC.xlsm
Resource
win10v2004-20240802-en
General
-
Target
ORDER SHEET & SPEC.xlsm
-
Size
2.7MB
-
MD5
7ccf88c0bbe3b29bf19d877c4596a8d4
-
SHA1
23f0506d857d38c3cd5354b80afc725b5f034744
-
SHA256
7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
-
SHA512
0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
-
SSDEEP
1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 3044 2408 cscript.exe EXCEL.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
cscript.execscript.exeflow pid process 3 3044 cscript.exe 4 3044 cscript.exe 5 2624 cscript.exe 6 2624 cscript.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cMD.exewscript.execscript.execmd.execscript.exeEXCEL.EXEEQNEDT32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2408 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2408 EXCEL.EXE 2408 EXCEL.EXE 2408 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EQNEDT32.EXEcMD.exeEXCEL.EXEwscript.execmd.exedescription pid process target process PID 2816 wrote to memory of 2864 2816 EQNEDT32.EXE cMD.exe PID 2816 wrote to memory of 2864 2816 EQNEDT32.EXE cMD.exe PID 2816 wrote to memory of 2864 2816 EQNEDT32.EXE cMD.exe PID 2816 wrote to memory of 2864 2816 EQNEDT32.EXE cMD.exe PID 2864 wrote to memory of 2748 2864 cMD.exe wscript.exe PID 2864 wrote to memory of 2748 2864 cMD.exe wscript.exe PID 2864 wrote to memory of 2748 2864 cMD.exe wscript.exe PID 2864 wrote to memory of 2748 2864 cMD.exe wscript.exe PID 2408 wrote to memory of 3044 2408 EXCEL.EXE cscript.exe PID 2408 wrote to memory of 3044 2408 EXCEL.EXE cscript.exe PID 2408 wrote to memory of 3044 2408 EXCEL.EXE cscript.exe PID 2408 wrote to memory of 3044 2408 EXCEL.EXE cscript.exe PID 2748 wrote to memory of 2832 2748 wscript.exe cmd.exe PID 2748 wrote to memory of 2832 2748 wscript.exe cmd.exe PID 2748 wrote to memory of 2832 2748 wscript.exe cmd.exe PID 2748 wrote to memory of 2832 2748 wscript.exe cmd.exe PID 2832 wrote to memory of 2624 2832 cmd.exe cscript.exe PID 2832 wrote to memory of 2624 2832 cmd.exe cscript.exe PID 2832 wrote to memory of 2624 2832 cmd.exe cscript.exe PID 2832 wrote to memory of 2624 2832 cmd.exe cscript.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SPEC.xlsm"1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cMD.execMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf C2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\xx.vbs5⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qFilesize
15KB
MD5ef556c44786a88cdf0f705ac03d9099a
SHA160bf4f1af100f94c98e3911b5f839d4a60dfc8f8
SHA2566ce8f2114acac0ce2eed32d302a6a40185d3388caa722b0724da2aebdeabeb3c
SHA51252fce99ab482bfccbadcd8a7738717ca6feab4e7a62f9c52872822073b4f4728f3aaa83cb55dd2818df0eb42994939d9fd48f7bce1326ba5ce5ecb5b2c625fcc
-
C:\Users\Admin\AppData\Local\Temp\xxFilesize
28KB
MD503d7df9993352270e6a5497b895e79a8
SHA12544c92e55977c6f6947b231cd4c0317faecc68b
SHA2564779756453533076aee716817d417968f4c462e1868d1a6196006eea0c9b6e1b
SHA512c50b58a4fd06dff7e7b7904111cf00e2b7b11fff05077f9a21d649d8e5858c73c79389b08570a40b353b456de5d38167145d0e7755df9b0c3cc3077e24c7b7fe
-
C:\programdata\asc.txt:script1.vbsFilesize
58KB
MD56196ce936b2131935e89615965438ed4
SHA15c3e5c8091139974fca038e10fc92c7f6e91a053
SHA2562eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4
SHA5129505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670
-
memory/2408-0-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2408-1-0x0000000072D8D000-0x0000000072D98000-memory.dmpFilesize
44KB
-
memory/2408-11-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2408-10-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2408-13-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2408-9-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2408-16-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2408-19-0x0000000072D8D000-0x0000000072D98000-memory.dmpFilesize
44KB