Edit tour

Windows Analysis Report
Serbia_Vendor_Creation_1.xlsx

Overview

General Information

Sample name:	Serbia_Vendor_Creation_1.xlsx
Analysis ID:	1432059
MD5:	c1cda6d17a11952fef58a1aa3a47c30f
SHA1:	1c51727af61fd17e8d437a736bf254cd470a54a2
SHA256:	7c3babffc38d4b977d7e8ecef338936e9a002655a6fbbbd4bc2feaecfdbbdcca
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Contains an external reference to another file

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3172 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
externalLink1.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0xe1:$olerel: relationships/oleObject 0xfa:$target1: Target="http 0x1a7:$mode: TargetMode="External
externalLink2.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0xe1:$olerel: relationships/oleObject 0xfa:$target2: Target="file 0x16a:$mode: TargetMode="External

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: externalLink1.xml.rels, type: SAMPLE	Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
Source: externalLink2.xml.rels, type: SAMPLE	Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: externalLink1.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: externalLink2.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: classification engine

Classification label: mal52.evad.winXLSX@1/7@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR67D6.tmp

Jump to behavior

Source: Serbia_Vendor_Creation_1.xlsx	OLE indicator, Workbook stream: true
Source: 6B9E.tmp.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/media/image3.png
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/media/image4.png
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/item3.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = docProps/custom.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/item2.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/media/image2.emf
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/media/image3.png
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/media/image4.png
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/item2.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Serbia_Vendor_Creation_1.xlsx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: externalLink1.xml.rels

Extracted files from sample: https://hyperoptic-my.sharepoint.com/personal/isidora_karapandzic_hyperoptic_com/documents/desktop/1.%20hyperoptic%20supplier%20code%20of%20conduct%20(1)%20srp.doc

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Serbia_Vendor_Creation_1.xlsx	0%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432059
Start date and time:	2024-04-26 11:12:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Serbia_Vendor_Creation_1.xlsx
Detection:	MAL
Classification:	mal52.evad.winXLSX@1/7@0/0
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 918 x 680, 8-bit/color RGBA, non-interlaced
Category:	modified
Size (bytes):	54350
Entropy (8bit):	7.91872755440117
Encrypted:	false
SSDEEP:	768:yhShil1HH4o1Qvf+1WIYwISz5xYO3Y9abIHhxPppWVMXi2UJOWAoj2BW0fk:j+1HHH10fZ5KzTSCIHbp46Ej2Xfk
MD5:	6A01035EDE94C9FE388506D948250EB0
SHA1:	07E3B0CFB128EFA95C934AAEF6EA5C153B972E98
SHA-256:	C8700049E8A67BD3278A3D5A178F4D98F84EA608874A489FE854908C0FD3B9E0
SHA-512:	D6F6A91F67CDC1B10F99E6CCD87787E1CFE673B24F455A6A210724F2772116579A40F60714CC5176445F8960D222E96240348499BAE4BA48753D4298C73992B6
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...............`.....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^...\Te.?...R.h.e....e....&jj......xyeu./..u..h-.....n.....!.&o..).....2d.....?...af..AQ._?#.6.6gf.o..<.N.."""""".j...%""""""...K""""""r..%................\.`IDDDDDD.a.$"""""".0X.......K.,.......%uJ...j..W..D!.](.um..d.......m.!-.........j....@..?.h}.Y.PK.K""""".U.,o..=.....k}..USOdv.[.....G.w...C...\|...}..""""...`y.x\|}..._..bK.k...mK..w......].......V.\|s.........^.....Z_....%V.l.W&..}m....:"X.Si..e..\..y.....0=.9..j..l..'.h}.s..n....Z_E...G.e8w.P....0:g.o...S..^..>.#..Z.S]).....,C.........s.0s.[8v......m..ik.tr./M..o..;..v........RV..O....Y.....]dH......V..........6...,.~.e..~...%....5.._W..^.1.[..?E.C..M.....op2.`...n<...`...M.."..M...O.../..u=..}.W...A}{Z.S......S-...p9......J.-r.-.'.8....R_.....V.._.....PU.k..kODDDt'q..F.I..A..owkCnO..U?.u6T..w.!q_c..m6..o...R...?^}W...dX..B...=.l...W..'.0...Q.PY.Y........v.q.~....8q.gm.%..2T..m$....g......B

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C4E2997.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7976
Entropy (8bit):	3.5505650261081096
Encrypted:	false
SSDEEP:	96:ydozbTGLIQYC0iiGBjkep0vllllllllllllllCoKkbdV:j+LIQYUrjLallllllllllllllC/ID
MD5:	2DA278DC5FE084DAC89F7E4CEE3E2CD9
SHA1:	ECC4FF84629924B2834C956FFBA4FA61A17FD622
SHA-256:	AB7188923D4CB593378AE7E66A1C4D639BF876A903D78E7A4D82570149B916C0
SHA-512:	CB14AE7653FEA86FA3B0DF69CA5991D079750095ABAC1CD8490CDC62BB0995C17CDE65C2A85E74BBD8FC707D10A7167128041B9707B5CF337FCD1F3FC3AB027D
Malicious:	false
Reputation:	low
Preview:	....l...........t...\...........f...Q... EMF....(...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!.......%.......................................................................'.......................%...........K.......................................r.......(.......O...)...(.......(...(..................?...........?................l...4...........(...(...(...(...(..... .................................................................................................................................................................................................................................... .. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. ".. "........................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.050501564190144
Encrypted:	false
SSDEEP:	96:OdoeUUUUUUUU7RRRRRRRRRRRRRRRRRRV7RRRRRRRRRRRRRRRRRRV77V77V77V7D6:iqrnxT
MD5:	921E15C48023C6E4344C9FE296F938A1
SHA1:	3B59C3569C3E0923EFD014A80AEB57F3F3133C73
SHA-256:	53DFCD0087F36856D1B1841B46E19FBEF79FC54B7A1366F420F9A360E5D2554C
SHA-512:	EB78A8182C0D34CBBF3A2FED3CC676E07B360D11A7A381D2F66267E19CA1858D30194368FFEB85FB3CCF6367509CAC5745A28A5BB87E70A04972BF4180C26863
Malicious:	false
Reputation:	low
Preview:	....l...........u...............f...Q... EMF..... ..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!.......%.......................................................................'.......................%...........K.......................................r.......(.......O...)...(.......(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................Z\].twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.twy.Z\].............................................twy.............................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B44946AC.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 423 x 695, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	44746
Entropy (8bit):	7.9626137752387525
Encrypted:	false
SSDEEP:	768:DztA4k8C98Zn+DNCpREJ1XTIpITR6MWT6VuFOIUsIECWEnm8:DzbjC94SCTpIA5TyIUFCp8
MD5:	1E6CB6F45FD9335E2BF06D5E119C4B1A
SHA1:	EF3DF1D0AAC0128C38EF50B4881479AF3788893E
SHA-256:	3C0BC62F63769906AB07BA5ECCA08EB50414AA09F4F165492F3E798FDFCACC03
SHA-512:	B91B2B1139A9442E5873E015DB1B094991ECD9DBFACB03361F8CD17B74BB209E69D58E3114ADC53A5037B6EA34B04C2A9C35464B53397A5C3D0F1506CF1CE070
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............!......sRGB.........gAMA......a.....pHYs...t...t..f.x..._IDATx^..\|.E.._R ..PC..Az... J..E@)".R>.."E@)."...H.."...Az...Z ....q.\..,...[r.;;;.e.y.yo'..c.Csd. ..B.U..%..B,...B..8.B....'B.!...D.!.rP..!.X...!...Aq"..b9(N..B,...B..8.B....'B.!...D.!.rP..!.X...!...Aq"..b9(N..B,...B..8.B....'B.!.#..c.Csd.`.J..O....a........$...............BbK...."...%.^....e..;(N$.p.A.<R....;..$8..^(T....U..H-..n=....Q..{O<.C.....0......_.D.a".....P.........B.<...y.,&{..s..Y.f...O.>-!*]...%O.\|R.BY.^..-e..t..}ZQ...<.........u(N.......hk...E........r.N..:yX.K J...@..(..K``..m...]...;.(P......QO..9.(N...<..4j.(.}.\....a.dH.P...,..<.c./..k...K..._.....T.....g.....n.....!........5(N.....c2.F..N..0./J..{yH.j%$G....0..9.Q.\>/......n..d....H....W.0.B...{..gG\.q[...^j.YNjV-g[.l.c......m....~R...oQ.\|./]#....d.Ilk.;.F^../.o.u...I..X.a.mk..k.!.;5...<q.<....I.vv..%J.......\...l.d.R-L....%y.g....L.4...H..3.....%0...O.\BB.ia..4}./2..yz?.......\|.B.i..9..W.@.

C:\Users\user\AppData\Local\Temp\6B9E.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	130230
Entropy (8bit):	7.882885545830819
Encrypted:	false
SSDEEP:	1536:9A7uoyHbZzbjC94SCTpIA5TyIUFCpC+1HHH10fZ5KzTSCIHbp46Ej2XfFHqH:67+HFzb/ZuYZAWN14qzWCr6Ej2MH
MD5:	C1CDA6D17A11952FEF58A1AA3A47C30F
SHA1:	1C51727AF61FD17E8D437A736BF254CD470A54A2
SHA-256:	7C3BABFFC38D4B977D7E8ECEF338936E9A002655A6FBBBD4BC2FEAECFDBBDCCA
SHA-512:	980495C5269B79209122E862438FADF1B85F1B1B0B9B0322A2D1FF49F716D3E4EC40AA3924D8E67D3F6EB65F8A4F4A691AD6EC82586A107D17A2689C00CCFDFE
Malicious:	false
Reputation:	low
Preview:	PK..........!..!].............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VM..0.......%Vv...8{.....z.Zc[D_h.l..;R.!,NRcC/.%y.{.$.....]l .r.b7..`k'.m+.....3+0.+.v...dw....O;.XP..u1./.c..X:..F......-..^....\|....F.q...[...k..o[..+yV.._..%....E$.\|c....k.U.t...t.>....D.K..1.G...C.{9.4o8.I...4...m.....#.h......"s..)....3..........BN.!H.....~..JB. B.).M!.j.....Uy.d.....P.....g..u3..._.....?...s...C.......b_1..m. Rq.....0W\...So..z.....c...N......./C....}?.].....c4W..Cp....A.....X...U...

C:\Users\user\AppData\Local\Temp\6B9E.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.882885545830819
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	Serbia_Vendor_Creation_1.xlsx
File size:	130'230 bytes
MD5:	c1cda6d17a11952fef58a1aa3a47c30f
SHA1:	1c51727af61fd17e8d437a736bf254cd470a54a2
SHA256:	7c3babffc38d4b977d7e8ecef338936e9a002655a6fbbbd4bc2feaecfdbbdcca
SHA512:	980495c5269b79209122e862438fadf1b85f1b1b0b9b0322a2d1ff49f716d3e4ec40aa3924d8e67d3f6eb65f8a4f4a691ad6ec82586a107d17a2689c00ccfdfe
SSDEEP:	1536:9A7uoyHbZzbjC94SCTpIA5TyIUFCpC+1HHH10fZ5KzTSCIHbp46Ej2XfFHqH:67+HFzb/ZuYZAWN14qzWCr6Ej2MH
TLSH:	C3D3E160C816F5ACCF6F10F8945D926A74ECC8B273803BB76476E45FC906177369A28B
File Content Preview:	PK..........!..!].............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Serbia_Vendor_Creation_1.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Target ID:	0
Start time:	11:13:22
Start date:	26/04/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f1d0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Serbia_Vendor_Creation_1.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40AD1EBD.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C4E2997.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B44946AC.png

C:\Users\user\AppData\Local\Temp\6B9E.tmp

C:\Users\user\AppData\Local\Temp\6B9E.tmp:Zone.Identifier

C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Serbia_Vendor_Creation_1.xlsx"

Indicators

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EXCEL.EXEPID: 3172, Parent PID: 564

General

Chronological Activities

Disassembly

Windows Analysis Report
Serbia_Vendor_Creation_1.xlsx