Loading ...

Play interactive tourEdit tour

Windows Analysis Report Amendment.-0428767170_20210922.xlsb

Overview

General Information

Sample Name:Amendment.-0428767170_20210922.xlsb
Analysis ID:488098
MD5:19989ff08d6e0accb9d233f5477bb216
SHA1:a7b9f2c08fceca215ab866f59269d416bc8f8f09
SHA256:91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55
Tags:22201Dridexxlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Execute DLL with spoofed extension
Creates and opens a fake document (probably a fake document to hide exploiting)
Sigma detected: Suspicious WMI Execution Using Rundll32
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Contains functionality to create processes via WMI
Queries the volume information (name, serial number etc) of a device
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1664 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 2580 cmdline: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf' MD5: FD902835DEAEF4091799287736F3A028)