Click to jump to signature section
Source: drawing1.xml.rels | Extracted files from sample: file:///\\170.130.55.130\share\a\report-26-2024.vbs.......... |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif | Jump to behavior |
Source: Screenshot number: 4 | Screenshot OCR: Enable Editing'. a 14 I 15 16 17 Open 18 19 20 21 22 23 24 Stay in the groove wIth .Micro |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Editing'. Stay in the groove with Microsoft Office Excel integration with Microsoft Azure C |
Source: Document image extraction number: 2 | Screenshot OCR: Enable Editing'. Open Stay in the groove wIth Microsoft Office Excel integrauon with Microsoft Az |
Source: C:\Windows\SysWOW64\explorer.exe | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: CCE0.tmp.0.dr | OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: explorerframe.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: duser.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: dui70.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: davhlpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: cscapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: explorerframe.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: duser.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: dui70.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: davhlpr.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: shdocvw.dll | Jump to behavior |
Source: C:\Windows\explorer.exe | Section loaded: msisip.dll | Jump to behavior |
Source: classification engine | Classification label: mal64.troj.spyw.expl.winXLSX@3/6@0/0 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\CVR6DA0.tmp | Jump to behavior |
Source: re-march-26-2024-9856.xlsx | OLE indicator, Workbook stream: true |
Source: unknown | Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs.......... |
Source: unknown | Process created: C:\Windows\SysWOW64\explorer.exe |
Source: unknown | Process created: C:\Windows\explorer.exe |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
Source: unknown | Process created: C:\Windows\SysWOW64\explorer.exe explorer \\170.130.55.130\share\a\Report-26-2024.vbs.......... |
Source: unknown | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding |
Source: C:\Windows\SysWOW64\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: re-march-26-2024-9856.xlsx | Initial sample: OLE zip file path = xl/media/image1.gif |
Source: re-march-26-2024-9856.xlsx | Initial sample: OLE zip file path = xl/media/image2.gif |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: re-march-26-2024-9856.xlsx | Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe TID: 2428 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2836 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Yara match | File source: drawing1.xml.rels, type: SAMPLE |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share\a | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | File opened: \\170.130.55.130\share | Jump to behavior |
Source: C:\Windows\explorer.exe | File opened: \\170.130.55.130\share\a\Report-26-2024.vbs | Jump to behavior |
Source: C:\Windows\explorer.exe | File opened: \\170.130.55.130\share\a\Report-26-2024.vbs | Jump to behavior |
Source: C:\Windows\explorer.exe | File opened: \\170.130.55.130\share\ | Jump to behavior |
Source: Yara match | File source: drawing1.xml.rels, type: SAMPLE |