Analysis
-
max time kernel
130s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 06:30
Static task
static1
Behavioral task
behavioral1
Sample
notifica_0807_4059.xls
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
notifica_0807_4059.xls
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
notifica_0807_4059.xls
-
Size
149KB
-
MD5
0658e5427d77225baff4f141546fe42b
-
SHA1
010d7629298c8185d9722156638c3fb325c5aa95
-
SHA256
00eb5cd0eabd4fd5d9f9ba99581cd5bd15b9fcbba647134b9a5c77370bbfdf99
-
SHA512
c47dcdff7ebfd1b0d68a8852e36d6b6d643f4692fb139e8d1aa1511239b4ac311d714014350bce83d441dd7bbe0bfe7017248b8520d8edf02e64127716241305
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 376 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 376 EXCEL.EXE 376 EXCEL.EXE 376 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1512 376 explorer.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 376 wrote to memory of 1512 376 EXCEL.EXE explorer.exe PID 376 wrote to memory of 1512 376 EXCEL.EXE explorer.exe PID 376 wrote to memory of 1512 376 EXCEL.EXE explorer.exe PID 1368 wrote to memory of 1800 1368 explorer.exe WScript.exe PID 1368 wrote to memory of 1800 1368 explorer.exe WScript.exe PID 1368 wrote to memory of 1800 1368 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\notifica_0807_4059.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\Jc6Po8cW.vbs2⤵
- Process spawned unexpected child process
PID:1512
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Jc6Po8cW.vbs"2⤵PID:1800