Source: drawing1.xml.rels |
Extracted files from sample: file:///\\170.130.55.130\share\a\report-26-2024.vbs.......... |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif |
Jump to behavior |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Editing'. a 14 I 15 16 17 Open 18 19 20 21 22 23 24 Stay in the groove wIth .Micro |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable Editing'. Stay in the groove with Microsoft Office Excel integration with Microsoft Azure C |
Source: Document image extraction number: 2 |
Screenshot OCR: Enable Editing'. Open Stay in the groove wIth Microsoft Office Excel integrauon with Microsoft Az |
Source: C:\Windows\SysWOW64\explorer.exe |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: CCE0.tmp.0.dr |
OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: dui70.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: davhlpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: cscapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dui70.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: davhlpr.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: shdocvw.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal64.troj.spyw.expl.winXLSX@3/6@0/0 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVR6DA0.tmp |
Jump to behavior |
Source: re-march-26-2024-9856.xlsx |
OLE indicator, Workbook stream: true |
Source: unknown |
Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs.......... |
Source: unknown |
Process created: C:\Windows\SysWOW64\explorer.exe |
Source: unknown |
Process created: C:\Windows\explorer.exe |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
Source: unknown |
Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs.......... |
Source: unknown |
Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding |
Source: C:\Windows\SysWOW64\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: re-march-26-2024-9856.xlsx |
Initial sample: OLE zip file path = xl/media/image1.gif |
Source: re-march-26-2024-9856.xlsx |
Initial sample: OLE zip file path = xl/media/image2.gif |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: re-march-26-2024-9856.xlsx |
Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe TID: 2428 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2836 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: drawing1.xml.rels, type: SAMPLE |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share\a |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share |
Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe |
File opened: \\170.130.55.130\share |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File opened: \\170.130.55.130\share\a\Report-26-2024.vbs |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File opened: \\170.130.55.130\share\a\Report-26-2024.vbs |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File opened: \\170.130.55.130\share\ |
Jump to behavior |
Source: Yara match |
File source: drawing1.xml.rels, type: SAMPLE |