7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c

General

Target

7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c.bin.xls
Size

2.6MB
MD5

5e88543265f45782ccd0d313d1f9fdc0
SHA1

1006e031aaea7bd841141574fdefb49b051b12b2
SHA256

7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c
SHA512

96a456e52578203f244a07c51af3f1d0dbb3beeaa202896710b4b976d99c87501e447130f23faeb6b1ee11dbdb98affdefa2b66b1e64f0cfbf71f506a67b28bb

Score

10^/10

Malware Config

Signatures

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1860	EQNEDT32.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1152	EXCEL.EXE

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1152	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	27
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	27
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	27
PID 1860 wrote to memory of 1656	1860	EQNEDT32.EXE	27
PID 1656 wrote to memory of 1548	1656	cmd.exe	29
PID 1656 wrote to memory of 1548	1656	cmd.exe	29
PID 1656 wrote to memory of 1548	1656	cmd.exe	29
PID 1656 wrote to memory of 1548	1656	cmd.exe	29
PID 1152 wrote to memory of 2024	1152	EXCEL.EXE	30
PID 1152 wrote to memory of 2024	1152	EXCEL.EXE	30
PID 1152 wrote to memory of 2024	1152	EXCEL.EXE	30
PID 1548 wrote to memory of 1180	1548	cscript.exe	32
PID 1548 wrote to memory of 1180	1548	cscript.exe	32
PID 1548 wrote to memory of 1180	1548	cscript.exe	32
PID 1548 wrote to memory of 1180	1548	cscript.exe	32
PID 1180 wrote to memory of 1640	1180	cmd.exe	34
PID 1180 wrote to memory of 1640	1180	cmd.exe	34
PID 1180 wrote to memory of 1640	1180	cmd.exe	34
PID 1180 wrote to memory of 1640	1180	cmd.exe	34

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2024	1152	wscript.exe	23

Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7198265049b9ae07283726cd4a15a92421eed0ae8ce943971c5e6b7626913e5c.bin.xls
1⤵
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\programdata\asc.txt:script1.vbs
  2⤵
  - Process spawned unexpected child process
  PID:2024

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren %tmp%\yy r.js&cScRiPT %tmp%\r.js C
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\cscript.exe
    cScRiPT C:\Users\Admin\AppData\Local\Temp\r.js C
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
        5⤵
        
        PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-1-0x0000000003040000-0x0000000003140000-memory.dmp

Filesize
1024KB

Download
memory/1548-10-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/1640-12-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing