Play interactive tourEdit tour
Windows Analysis Report Amendment.-0428767170_20210922.xlsb
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Sigma detected: Execute DLL with spoofed extension
Creates and opens a fake document (probably a fake document to hide exploiting)
Sigma detected: Suspicious WMI Execution Using Rundll32
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Contains functionality to create processes via WMI
Queries the volume information (name, serial number etc) of a device
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Classification
Process Tree |
---|