d141bc335e621dca9cd1e3340be2987f8d6b057fe384450c4b1059c1cc98ab0d | Triage

Analysis

max time kernel
65s
max time network
6s
platform
windows7_x64
resource
win7v200430
submitted
07-07-2020 06:39

Sharing

Report Analysis Logs

General

Target

doc.789.xls
Size

143KB
MD5

ed1d2c8d4986bff5a0fb1d4e0992ff33
SHA1

a63f84b1049b338816d4a1d5c8479ff9c05364f3
SHA256

d141bc335e621dca9cd1e3340be2987f8d6b057fe384450c4b1059c1cc98ab0d
SHA512

40e7856982c9603658a1cab7a30e0e15f3474029a263df76bdf96247dbfa61860fbfc6851f4fa8b842a4e6ed21fc6f0cc50a21f876f4a810d6b3ebd97daf5bbd

Score

10^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEexplorer.exe

description	pid	process	target process
PID 1068 wrote to memory of 1552	1068	EXCEL.EXE	explorer.exe
PID 1068 wrote to memory of 1552	1068	EXCEL.EXE	explorer.exe
PID 1068 wrote to memory of 1552	1068	EXCEL.EXE	explorer.exe
PID 596 wrote to memory of 932	596	explorer.exe	WScript.exe
PID 596 wrote to memory of 932	596	explorer.exe	WScript.exe
PID 596 wrote to memory of 932	596	explorer.exe	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1552	1068	explorer.exe	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc.789.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\explorer.exe
explorer.exe C:\Users\Public\wOY.vbs
2⤵
- Process spawned unexpected child process
PID:1552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\wOY.vbs"
2⤵
PID:932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Qk5FfLQm.txt

Download Submit
C:\Users\Public\wOY.vbs

Download Submit
memory/932-2-0x0000000000000000-mapping.dmp

Download
memory/932-3-0x0000000002620000-0x0000000002624000-memory.dmp

Filesize
16KB

Download
memory/1068-5-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/1552-0-0x0000000000000000-mapping.dmp

Download