Windows
Analysis Report
zJ2b57acTF.xlsx
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- EXCEL.EXE (PID: 1292 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PS1_Msdt_Execution_May22 | Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation | Nasreddine Bencherchali, Christian Burkard |
| |
EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 | Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation | Tobias Michalski, Christian Burkard |
| |
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Exploits |
---|
Source: | File source: |
Source: | File opened: | Jump to behavior |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | File read: | Jump to behavior |
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
23% | Metadefender | Browse | ||
41% | ReversingLabs | Script-JS.Exploit.CVE-2022-30190 |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 659479 |
Start date and time: 08/07/202208:34:09 | 2022-07-08 08:34:09 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 3m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | zJ2b57acTF.xlsx |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.expl.winXLSX@1/1@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- VT rate limit hit for: zJ2b57acTF.xlsx
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.2242451103796474 |
TrID: |
|
File name: | zJ2b57acTF.xlsx |
File size: | 13955 |
MD5: | b8a6fb2af1f22213fc469b3fc7d65382 |
SHA1: | bc2d6b81ef00a56dc2fd13fc9a4c90a08d1a5068 |
SHA256: | 6d4e5e60b4f6cbc8a6e14343b59c406fe5c7f948aded16d23a0f6ed6984907c2 |
SHA512: | 3830c5a98c28dae095bd2f44bfa29e27a856f92d3fb5d71bc2170f9d2995d9eb011cea50f84c6487e63f574ae872dd49d6ef0d8b13200c08029b5604393d4c04 |
SSDEEP: | 192:44wboitZCnzIb3UuwVemtGa4cV2s7SlUcwNClk0UNaO8Ibwiu4W8+j4sjt/siAe:44p3zI38jV2s7SluQoPKGW8q4sjFsiAe |
TLSH: | 39528E1AC127A03DF273807AC20929E6DD9D22079135A40FB0A0B6CD68D2BDB579F75F |
File Content Preview: | PK........e..T..7HL...5......._rels/.rels.._k.0.........}..6...n.....Z....."..Zd.H7K..w.......OC...............'.h...^...8..qE..F../.E.NK...|......wx.V"..KSGF..s^"..BDUB%c.kp.3...H.P.Z..,@...~..%...0...y..}.F..6a...(8.jV..5G.X 8..W.z?..Hx....k.nh9.Y....X. |
Icon Hash: | e4e2aa8aa4b4bcb4 |
Target ID: | 0 |
Start time: | 08:35:15 |
Start date: | 08/07/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fbc0000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |