7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c

General

Target

7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c.bin.xls
Size

2.6MB
MD5

5e88543265f45782ccd0d313d1f9fdc0
SHA1

1006e031aaea7bd841141574fdefb49b051b12b2
SHA256

7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c
SHA512

96a456e52578203f244a07c51af3f1d0dbb3beeaa202896710b4b976d99c87501e447130f23faeb6b1ee11dbdb98affdefa2b66b1e64f0cfbf71f506a67b28bb

Score

10^/10

Malware Config

Signatures

Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1860 EQNEDT32.EXE
NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\programdata\asc.txt:script1.vbs EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1152 EXCEL.EXE

pid	process
1860	EQNEDT32.EXE

description	ioc	process
File created	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

EXCEL.EXE

pid	process
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

1152 EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EQNEDT32.EXEcmd.exeEXCEL.EXEcscript.execmd.exe

description	pid	process	target process
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	cmd.exe
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	cmd.exe
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	cmd.exe
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	cmd.exe
PID 1656 wrote to memory of 1548	1656	cmd.exe	cscript.exe
PID 1656 wrote to memory of 1548	1656	cmd.exe	cscript.exe
PID 1656 wrote to memory of 1548	1656	cmd.exe	cscript.exe
PID 1656 wrote to memory of 1548	1656	cmd.exe	cscript.exe
PID 1152 wrote to memory of 2024	1152	EXCEL.EXE	wscript.exe
PID 1152 wrote to memory of 2024	1152	EXCEL.EXE	wscript.exe
PID 1152 wrote to memory of 2024	1152	EXCEL.EXE	wscript.exe
PID 1548 wrote to memory of 1180	1548	cscript.exe	cmd.exe
PID 1548 wrote to memory of 1180	1548	cscript.exe	cmd.exe
PID 1548 wrote to memory of 1180	1548	cscript.exe	cmd.exe
PID 1548 wrote to memory of 1180	1548	cscript.exe	cmd.exe
PID 1180 wrote to memory of 1640	1180	cmd.exe	cscript.exe
PID 1180 wrote to memory of 1640	1180	cmd.exe	cscript.exe
PID 1180 wrote to memory of 1640	1180	cmd.exe	cscript.exe
PID 1180 wrote to memory of 1640	1180	cmd.exe	cscript.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2024	1152	wscript.exe	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c.bin.xls
1⤵
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe C:\programdata\asc.txt:script1.vbs
2⤵
- Process spawned unexpected child process
PID:2024

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ren %tmp%\yy r.js&cScRiPT %tmp%\r.js C
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cscript.exe
cScRiPT C:\Users\Admin\AppData\Local\Temp\r.js C
3⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
5⤵
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xx

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy

Download Submit
C:\programdata\asc.txt:script1.vbs

Download Submit
memory/1152-1-0x0000000003040000-0x0000000003140000-memory.dmp

Filesize
1024KB

Download
memory/1180-9-0x0000000000000000-mapping.dmp

Download
memory/1548-5-0x0000000000000000-mapping.dmp

Download
memory/1548-10-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/1640-11-0x0000000000000000-mapping.dmp

Download
memory/1640-12-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1656-0-0x0000000000000000-mapping.dmp

Download
memory/2024-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads