Today our behavioural anomaly hit an interesting sample.
1⃣ Macro Document
2⃣ Spawning Notead with a funny command line
3⃣ Spawning a WMIC instance
4⃣ WMIC running rundll32 with a malicious dll
But what got my attention was something else:
The bahaviour of wmic.
thread 👇🧵
I always looks for interesting behaviour, what you can notice is how is possible that WMIC is creating a process? 2 possibilites, or with the Macro injecting code, or #Squiblytwo
You can notice there is no Injection involved, nor the cmdline for Squiblytwo! 👇🧵