9a63be97d600c50abdddc22afd998e25ddac5030bcc4846b97cf7e1932eae7b8

Analysis

Target

INV100720.xlsm
Size

399KB
MD5

97d1bf3b13839cb70157bbebc2ab1f8c
SHA1

b12d4e4b14d3b443e1abb9b6a5a9b6b74de2686a
SHA256

9a63be97d600c50abdddc22afd998e25ddac5030bcc4846b97cf7e1932eae7b8
SHA512

1bf7e0619db7bbf6bdf4a67608f5d74144ee114c769554e15af72bbd027d792f0e68cf36ea4839b6d37bafab14f73a240ef9d5381f83726a147e51a62e533bb0

Score

10^/10

Language

ps1

Source

URLs

exe.dropper

http://comawhimplet.com/nccd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1804	1612	EXCEL.EXE	24
PID 1612 wrote to memory of 1804	1612	EXCEL.EXE	24
PID 1612 wrote to memory of 1804	1612	EXCEL.EXE	24

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	powershell.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
5	1804	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1804	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1612	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1804	1612	powershell.exe	23

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	powershell.exe

memory/1612-1-0x0000000007320000-0x0000000007420000-memory.dmp

Filesize
1024KB

Download
memory/1612-3-0x0000000007320000-0x0000000007420000-memory.dmp

Filesize
1024KB

Download
memory/1612-4-0x0000000007320000-0x0000000007420000-memory.dmp

Filesize
1024KB

Download
memory/1612-5-0x0000000007320000-0x0000000007420000-memory.dmp

Filesize
1024KB

Download