e852f60c24ea989debb25b3e91efe34be20e8dd028f4e97e3d748858325a67a8

Analysis

Target

SecuriteInfo.com.Exploit.Siggen2.6573.751.23101.xls
Size

175KB
MD5

a7b9c762977f2a46e6adcca014df82c4
SHA1

f53b019c9574ab05637ceb632cd38905d37fe9ef
SHA256

e852f60c24ea989debb25b3e91efe34be20e8dd028f4e97e3d748858325a67a8
SHA512

c23028f2929643f3236badb06be82df0a01236178705692b8134ae26a949af1d6aa0e1a1a427112ac59d6d2af550cb3c38bbd54c974f218d50f36523e4460428

Score

10^/10

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1044	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1324	1044	explorer.exe	23

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1324	1044	EXCEL.EXE	24
PID 1044 wrote to memory of 1324	1044	EXCEL.EXE	24
PID 1044 wrote to memory of 1324	1044	EXCEL.EXE	24
PID 316 wrote to memory of 684	316	explorer.exe	26
PID 316 wrote to memory of 684	316	explorer.exe	26
PID 316 wrote to memory of 684	316	explorer.exe	26

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.6573.751.23101.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Public\rIDrzkO0.vbs
  2⤵
  - Process spawned unexpected child process
  PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\rIDrzkO0.vbs"
  2⤵
  PID:684

memory/684-3-0x00000000025F0000-0x00000000025F4000-memory.dmp

Filesize
16KB

Download
memory/1044-5-0x0000000004300000-0x0000000004308000-memory.dmp

Filesize
32KB

Download