Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 20:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
-
Size
303KB
-
MD5
50d833a21db581f09239c26b5723376b
-
SHA1
d11f201a327d253cc68836e39ca73ece51f2767b
-
SHA256
6e650a4383b6094da81c5d909ea099d520b969348e7189d6b04b6cb5dffdf754
-
SHA512
9f9be8e4688ae30360b5bcf50fc1307a569cc1cfdea443708c7a795b8bd4285a3c989ed7f2d773aef7647680f22f0f4e41fb346c552bb084dab2f0801e1885c7
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE 2536 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2536 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1760 2536 rundll32.exe 67 -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1760 2536 EXCEL.EXE 75 PID 2536 wrote to memory of 1760 2536 EXCEL.EXE 75 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Enumerates connected drives 3 TTPs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.17436.xls"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:2536 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\WbMFNqE\DTXZRqG\fytiOXY.dll,DllRegisterServer2⤵
- Process spawned unexpected child process
PID:1760
-