e852f60c24ea989debb25b3e91efe34be20e8dd028f4e97e3d748858325a67a8 | Triage

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7
submitted
08-07-2020 15:18

Sharing

Report Analysis Logs

General

Target

SecuriteInfo.com.Exploit.Siggen2.6573.751.23101.xls
Size

175KB
MD5

a7b9c762977f2a46e6adcca014df82c4
SHA1

f53b019c9574ab05637ceb632cd38905d37fe9ef
SHA256

e852f60c24ea989debb25b3e91efe34be20e8dd028f4e97e3d748858325a67a8
SHA512

c23028f2929643f3236badb06be82df0a01236178705692b8134ae26a949af1d6aa0e1a1a427112ac59d6d2af550cb3c38bbd54c974f218d50f36523e4460428

Score

10^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1044 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1044 EXCEL.EXE
1044 EXCEL.EXE
1044 EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1324	1044	explorer.exe	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEexplorer.exe

description	pid	process	target process
PID 1044 wrote to memory of 1324	1044	EXCEL.EXE	explorer.exe
PID 1044 wrote to memory of 1324	1044	EXCEL.EXE	explorer.exe
PID 1044 wrote to memory of 1324	1044	EXCEL.EXE	explorer.exe
PID 316 wrote to memory of 684	316	explorer.exe	WScript.exe
PID 316 wrote to memory of 684	316	explorer.exe	WScript.exe
PID 316 wrote to memory of 684	316	explorer.exe	WScript.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.6573.751.23101.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\explorer.exe
explorer.exe C:\Users\Public\rIDrzkO0.vbs
2⤵
- Process spawned unexpected child process
PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\rIDrzkO0.vbs"
2⤵
PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\PWN0ExMS.txt

Download Submit
C:\Users\Public\rIDrzkO0.vbs

Download Submit
memory/684-2-0x0000000000000000-mapping.dmp

Download
memory/684-3-0x00000000025F0000-0x00000000025F4000-memory.dmp

Filesize
16KB

Download
memory/1044-5-0x0000000004300000-0x0000000004308000-memory.dmp

Filesize
32KB

Download
memory/1324-0-0x0000000000000000-mapping.dmp

Download