Analysis
-
max time kernel
30s -
max time network
144s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 16:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Script.Generic.24937.xls
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Script.Generic.24937.xls
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Script.Generic.24937.xls
-
Size
919KB
-
MD5
885c40f48464f690f83f97efd6a0b093
-
SHA1
cf6f858fe15db15f3ce94a4ab1aabbdd39bad5b1
-
SHA256
ba47cdd310892146ad95f73ca30973eab4c3f52d9c1a1035ded2f62f87ed5fda
-
SHA512
51e658161c4e2532342a8cbd72155fa76271c250066283029ff9debf3bde430c37300735734fb4ee6e3483be8d2ec474177567e26afe021f88af6c9300149461
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3588 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3588 wrote to memory of 4036 3588 EXCEL.EXE XTHcSJX.exe PID 3588 wrote to memory of 4036 3588 EXCEL.EXE XTHcSJX.exe PID 3588 wrote to memory of 4036 3588 EXCEL.EXE XTHcSJX.exe -
Executes dropped EXE 1 IoCs
Processes:
XTHcSJX.exepid process 4036 XTHcSJX.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Script.Generic.24937.xls"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3588 -
C:\hQQDpQm\zOuMyDc\XTHcSJX.exe"C:\hQQDpQm\zOuMyDc\XTHcSJX.exe"2⤵
- Executes dropped EXE
PID:4036