1a3daf5c6ce3e087b1d045d3e71c7b5d17925aca619599ebbf05a1eeffeca449

Analysis

max time kernel
144s
max time network
21s
platform
windows7_x64
resource
win7v200430
submitted
08/07/2020, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

142158431.xlsx
Size

15KB
MD5

4a25d5697b2d77276167b50fd938f260
SHA1

2e1b25524e18dfb45fbdd8741817c98cded11d0f
SHA256

1a3daf5c6ce3e087b1d045d3e71c7b5d17925aca619599ebbf05a1eeffeca449
SHA512

2fe49f72bf868a415f808f5ce60ca3f8e6265d9dbd493e5c1440e53956a8085ede78d46ad3a129d923677f4538c1290033a2bb075f148285921f7ae2978e06ca

Score

8^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
904	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
904	EXCEL.EXE
904	EXCEL.EXE
904	EXCEL.EXE

Blacklisted process makes network request 1 IoCs

flow	pid	Process
4	1500	EQNEDT32.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1500	EQNEDT32.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\142158431.xlsx
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:904

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blacklisted process makes network request
- Launches Equation Editor
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads