7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813

General

Target

ORDERSHEETSPEC.xlsm
Size

2.7MB
MD5

7ccf88c0bbe3b29bf19d877c4596a8d4
SHA1

23f0506d857d38c3cd5354b80afc725b5f034744
SHA256

7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
SHA512

0ec8f398d9ab943e2e38a086d87d750eccc081fb73c6357319e79fe9f69e66a5566c00ce6d297d0d5fadaa5c04220dcf4d9adea1e0c1f88f335dc1c63797dfdc
SSDEEP

1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2616	2676	cscript.exe	29

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2616	cscript.exe
4	2616	cscript.exe
5	1344	cscript.exe
6	1344	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2728	EQNEDT32.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2676	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2596	2728	EQNEDT32.EXE	31
PID 2728 wrote to memory of 2596	2728	EQNEDT32.EXE	31
PID 2728 wrote to memory of 2596	2728	EQNEDT32.EXE	31
PID 2728 wrote to memory of 2596	2728	EQNEDT32.EXE	31
PID 2596 wrote to memory of 2824	2596	cMD.exe	33
PID 2596 wrote to memory of 2824	2596	cMD.exe	33
PID 2596 wrote to memory of 2824	2596	cMD.exe	33
PID 2596 wrote to memory of 2824	2596	cMD.exe	33
PID 2676 wrote to memory of 2616	2676	EXCEL.EXE	34
PID 2676 wrote to memory of 2616	2676	EXCEL.EXE	34
PID 2676 wrote to memory of 2616	2676	EXCEL.EXE	34
PID 2676 wrote to memory of 2616	2676	EXCEL.EXE	34
PID 2824 wrote to memory of 1020	2824	wscript.exe	36
PID 2824 wrote to memory of 1020	2824	wscript.exe	36
PID 2824 wrote to memory of 1020	2824	wscript.exe	36
PID 2824 wrote to memory of 1020	2824	wscript.exe	36
PID 1020 wrote to memory of 1344	1020	cmd.exe	38
PID 1020 wrote to memory of 1344	1020	cmd.exe	38
PID 1020 wrote to memory of 1344	1020	cmd.exe	38
PID 1020 wrote to memory of 1344	1020	cmd.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ORDERSHEETSPEC.xlsm
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2616

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\cMD.exe
  cMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf C
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\wscript.exe
    WSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\q

Filesize
15KB

MD5
ef556c44786a88cdf0f705ac03d9099a

SHA1
60bf4f1af100f94c98e3911b5f839d4a60dfc8f8

SHA256
6ce8f2114acac0ce2eed32d302a6a40185d3388caa722b0724da2aebdeabeb3c

SHA512
52fce99ab482bfccbadcd8a7738717ca6feab4e7a62f9c52872822073b4f4728f3aaa83cb55dd2818df0eb42994939d9fd48f7bce1326ba5ce5ecb5b2c625fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx

Filesize
28KB

MD5
03d7df9993352270e6a5497b895e79a8

SHA1
2544c92e55977c6f6947b231cd4c0317faecc68b

SHA256
4779756453533076aee716817d417968f4c462e1868d1a6196006eea0c9b6e1b

SHA512
c50b58a4fd06dff7e7b7904111cf00e2b7b11fff05077f9a21d649d8e5858c73c79389b08570a40b353b456de5d38167145d0e7755df9b0c3cc3077e24c7b7fe

Download Submit
C:\programdata\asc.txt:script1.vbs

Filesize
58KB

MD5
6196ce936b2131935e89615965438ed4

SHA1
5c3e5c8091139974fca038e10fc92c7f6e91a053

SHA256
2eaa9d08d7e29c99d616aaccc4728f120e1e9a14816fecab17f388665a89b6e4

SHA512
9505b721ac02dabba69a4f38258ca2b8a98c9e19bb67ba3a5b97ee0bb7a76fe168ca28979b54034249705730040df6c758ffcb35a97bdbde5e1c6c03aa7b0670

Download Submit
memory/2676-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2676-1-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download
memory/2676-12-0x0000000006850000-0x0000000006950000-memory.dmp

Filesize
1024KB

Download
memory/2676-15-0x0000000006850000-0x0000000006950000-memory.dmp

Filesize
1024KB

Download
memory/2676-19-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download

Resubmissions

Analysis

Sharing