19a1f6546cece68543aac388416cdf867ef8aee9061a6ed902d45ce49715a69c

Analysis

Target

reminder_1687164.xls
Size

367KB
MD5

6b1a1c7461aaf71e3857232a4412e4fc
SHA1

51c02cffabb7d7bf7fbc99b2d6d15a91a1eea1dd
SHA256

19a1f6546cece68543aac388416cdf867ef8aee9061a6ed902d45ce49715a69c
SHA512

caf685429d4d4744abdc4acfab5d9bb6072326087079ae2da227e637a86fb02f537495826740263b3bf21ecf436625e400f66c91eec30c43dec02826d0a06618

Score

10^/10

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1068	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1084	1068	rundll32.exe	23

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1084	1068	EXCEL.EXE	26
PID 1068 wrote to memory of 1084	1068	EXCEL.EXE	26
PID 1068 wrote to memory of 1084	1068	EXCEL.EXE	26

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\reminder_1687164.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\oteXeJW\VlorjJX\xRLBgpq.dll,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:1084