1615c46ae8e9b2f243ed4e124edffeea4cd452fd5a2ad92b496260e1c963ae86

Analysis

Target

fax_3123.xls
Size

144KB
MD5

ae6cec0d6053f9dc4f6f93a5615001fc
SHA1

34639c2f8d2933f7cef1a99b5f3d8996d718e941
SHA256

1615c46ae8e9b2f243ed4e124edffeea4cd452fd5a2ad92b496260e1c963ae86
SHA512

a83dd1e7b04f7f6d0528982200a31b21dd78cfff0a143d189be2aa0044f41d0e1d75ce4ef9ca2b6442ebbd407a9571be005ebc8518d391dfc2963227028007a4

Score

10^/10

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1768	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1860	1768	explorer.exe	23

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1860	1768	EXCEL.EXE	24
PID 1768 wrote to memory of 1860	1768	EXCEL.EXE	24
PID 1768 wrote to memory of 1860	1768	EXCEL.EXE	24
PID 1900 wrote to memory of 1940	1900	explorer.exe	26
PID 1900 wrote to memory of 1940	1900	explorer.exe	26
PID 1900 wrote to memory of 1940	1900	explorer.exe	26

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fax_3123.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\mR6pEukb.vbs
  2⤵
  - Process spawned unexpected child process
  PID:1860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mR6pEukb.vbs"
  2⤵
  PID:1940

memory/1768-5-0x00000000047D0000-0x00000000047D8000-memory.dmp

Filesize
32KB

Download
memory/1940-3-0x00000000024B0000-0x00000000024B4000-memory.dmp

Filesize
16KB

Download