Analysis
-
max time kernel
62s -
max time network
56s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 09:24
Static task
static1
Behavioral task
behavioral1
Sample
AWB_ 4198742133.xlsx
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
AWB_ 4198742133.xlsx
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
AWB_ 4198742133.xlsx
-
Size
14KB
-
MD5
35a26b8047b94c8b05c5c1470768afba
-
SHA1
668a171e193819b25f0d2837713510ae4bff5492
-
SHA256
f1bdedec6c33982685fb295d2cce69040a63b2dfcd6ec3e003d23d8077723c06
-
SHA512
bcc4ba89faafa96ed5e908512a57655bfabdb8471e3953d4f7bbc107026869109b6cc090fd8befac5e18ebd9c7c6f8093570ff33153f4910964a08803f2cc0e9
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1100 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1100 EXCEL.EXE 1100 EXCEL.EXE 1100 EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1412 EQNEDT32.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\AWB_ 4198742133.xlsx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1100
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Launches Equation Editor
PID:1412