Edit tour

Windows Analysis Report
Claim- Jan 2025.xls

Overview

General Information

Sample name:	Claim- Jan 2025.xls
Analysis ID:	1598848
MD5:	2a48933974e0ce490d2bc0c5d20c7125
SHA1:	63f04dcc31e51700a8e2ccc3139b36128309bc28
SHA256:	276b78b0499b0ed76085308d41344bb47e82f76384ad9bb40e15c2dfa822db72
Tags:	xlsuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Excel sheet contains many unusual embedded objects

Machine Learning detection for sample

Detected non-DNS traffic on DNS port

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 7608 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 5888 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

EXCEL.EXE (PID: 4484 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Claim- Jan 2025.xls" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.253.210.175, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7608, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 58797

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 58797, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7608, Protocol: tcp, SourceIp: 54.253.210.175, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://test.mycon.link/zlZE1JME	Avira URL Cloud: Label: malware
Source: https://test.mycon.link/zlZE1J	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Claim- Jan 2025.xls	Virustotal: Detection: 19%			Perma Link
Source: Claim- Jan 2025.xls	ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: Claim- Jan 2025.xls

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 54.253.210.175:443 -> 192.168.2.4:58797 version: TLS 1.2

Source: global traffic	DNS query: name: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS query: name: test.mycon.link

Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58805 -> 155.138.230.64:80
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443

Source: global traffic	TCP traffic: 192.168.2.4:58749 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 162.159.36.2:53 -> 192.168.2.4:58749
Source: global traffic	TCP traffic: 192.168.2.4:58749 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 162.159.36.2:53 -> 192.168.2.4:58749
Source: global traffic	TCP traffic: 192.168.2.4:58749 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 162.159.36.2:53 -> 192.168.2.4:58749
Source: global traffic	TCP traffic: 192.168.2.4:58749 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 192.168.2.4:58797 -> 54.253.210.175:443
Source: global traffic	TCP traffic: 54.253.210.175:443 -> 192.168.2.4:58797
Source: global traffic	TCP traffic: 192.168.2.4:58805 -> 155.138.230.64:80
Source: global traffic	TCP traffic: 155.138.230.64:80 -> 192.168.2.4:58805
Source: global traffic	TCP traffic: 192.168.2.4:58805 -> 155.138.230.64:80
Source: global traffic	TCP traffic: 192.168.2.4:58805 -> 155.138.230.64:80
Source: global traffic	TCP traffic: 155.138.230.64:80 -> 192.168.2.4:58805
Source: global traffic	TCP traffic: 155.138.230.64:80 -> 192.168.2.4:58805
Source: global traffic	TCP traffic: 192.168.2.4:58805 -> 155.138.230.64:80
Source: global traffic	TCP traffic: 192.168.2.4:58805 -> 155.138.230.64:80
Source: global traffic	TCP traffic: 155.138.230.64:80 -> 192.168.2.4:58805

Source: excel.exe

Memory has grown: Private usage: 2MB later: 145MB

Source: global traffic

TCP traffic: 192.168.2.4:58749 -> 162.159.36.2:53

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: global traffic	HTTP traffic detected: GET /zlZE1J HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: test.mycon.linkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/ce/x.x.x.x.doc HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 155.138.230.64

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 155.138.230.64
Source: unknown	TCP traffic detected without corresponding DNS query: 155.138.230.64
Source: unknown	TCP traffic detected without corresponding DNS query: 155.138.230.64
Source: unknown	TCP traffic detected without corresponding DNS query: 155.138.230.64
Source: unknown	TCP traffic detected without corresponding DNS query: 155.138.230.64
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /zlZE1J HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: test.mycon.linkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/ce/x.x.x.x.doc HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 155.138.230.64

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: test.mycon.link

Source: Claim- Jan 2025.xls, ~DFD4DC6A6341495630.TMP.9.dr

String found in binary or memory: https://test.mycon.link/zlZE1JME

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58797
Source: unknown	Network traffic detected: HTTP traffic on port 58797 -> 443

Source: unknown

HTTPS traffic detected: 54.253.210.175:443 -> 192.168.2.4:58797 version: TLS 1.2

System Summary

Excel sheet contains many unusual embedded objects

Source: Claim- Jan 2025.xls	OLE: Microsoft Excel 2007+
Source: Claim- Jan 2025.xls	OLE: Microsoft Excel 2007+
Source: Claim- Jan 2025.xls	OLE: Microsoft Excel 2007+
Source: ~DFD4DC6A6341495630.TMP.9.dr	OLE: Microsoft Excel 2007+
Source: ~DFD4DC6A6341495630.TMP.9.dr	OLE: Microsoft Excel 2007+
Source: ~DFD4DC6A6341495630.TMP.9.dr	OLE: Microsoft Excel 2007+

Source: Claim- Jan 2025.xls	OLE indicator, VBA macros: true
Source: ~DFD4DC6A6341495630.TMP.9.dr	OLE indicator, VBA macros: true

Source: Claim- Jan 2025.xls	Stream path 'MBD00654C46/\x1Ole' : https://test.mycon.link/zlZE1JMEkr1c}.*koRbn v>eSXFf O#R[2(UpKv T@>z@sj~7w\.kQr=!6.^f.JUy_A0a9:"`&gz>~~,]EkN('+Y}}T(7]BF+\|yzJh033qh9YedJsoL8TI9LyqmPKo8QucLVZmQCk4quJS0wjMAidcWryR0YQ9LVLyrQgA7JQ8a1Z0FFY3iyEEtxQZl6p2TEp8CvuklHmYrTS5w6dVKlJBuVAMI642RjCiSTGctwoq0HeuNzDMlFizv8El7o4B63LO2oHluraXhzaOtKrFDfrhTLik5rc0BvJswxGVFLNCuEHufLCjbV/je$
Source: ~DFD4DC6A6341495630.TMP.9.dr	Stream path 'MBD00654C46/\x1Ole' : https://test.mycon.link/zlZE1JMEkr1c}.*koRbn v>eSXFf O#R[2(UpKv T@>z@sj~7w\.kQr=!6.^f.JUy_A0a9:"`&gz>~~,]EkN('+Y}}T(7]BF+\|yzJh033qh9YedJsoL8TI9LyqmPKo8QucLVZmQCk4quJS0wjMAidcWryR0YQ9LVLyrQgA7JQ8a1Z0FFY3iyEEtxQZl6p2TEp8CvuklHmYrTS5w6dVKlJBuVAMI642RjCiSTGctwoq0HeuNzDMlFizv8El7o4B63LO2oHluraXhzaOtKrFDfrhTLik5rc0BvJswxGVFLNCuEHufLCjbV/je$

Source: classification engine

Classification label: mal64.winXLS@4/4@2/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{820B341B-4EB7-457E-80FA-4FF61E49443D} - OProcSessId.dat

Jump to behavior

Source: Claim- Jan 2025.xls	OLE indicator, Workbook stream: true
Source: ~DFD4DC6A6341495630.TMP.9.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Claim- Jan 2025.xls	Virustotal: Detection: 19%
Source: Claim- Jan 2025.xls	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Claim- Jan 2025.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Claim- Jan 2025.xls

Static file information: File size 1140224 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: Claim- Jan 2025.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Claim- Jan 2025.xls	Stream path 'Workbook' entropy: 7.99882155441 (max. 8.0)
Source: ~DFD4DC6A6341495630.TMP.9.dr	Stream path 'Workbook' entropy: 7.99882155441 (max. 8.0)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 527

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	3 Exploitation for Client Execution	1 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Claim- Jan 2025.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Claim- Jan 2025.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Claim- Jan 2025.xls