Loading ...

Play interactive tourEdit tour

Analysis Report Unpaid Invoice.9342.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208474
Start date:14.02.2020
Start time:16:14:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 33s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Unpaid Invoice.9342.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.expl.winXLS@1/13@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 93.184.221.240, 8.248.131.254, 8.248.115.254, 67.27.159.126, 67.27.158.254, 8.248.113.254, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, apps.digsigtrust.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, apps.identrust.com, wu.azureedge.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtReadFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Winlogon Helper DLLPort MonitorsMasquerading1Credential DumpingFile and Directory Discovery1Remote File Copy1Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSystem Information Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution3Accessibility FeaturesPath InterceptionScripting1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy1SIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: doolised.xyz
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 47.254.171.5:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 47.254.171.5:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSORVPC2\DSBVhsdv78f[1].htmJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doolised.xyz
Urls found in memory or binary dataShow sources
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: Unpaid Invoice.9342.xlsString found in binary or memory: https://doolised.xyz/DSBVhsdv78f
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49158
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Screenshot number: 4Screenshot OCR: Enable content button from the yellow bar above
Document contains embedded VBA macrosShow sources
Source: Unpaid Invoice.9342.xlsOLE indicator, VBA macros: true
Classification labelShow sources
Source: classification engineClassification label: mal52.expl.winXLS@1/13@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRAD.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: Unpaid Invoice.9342.xlsOLE indicator, Workbook stream: true
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in ExcelShow sources
Source: Yara matchFile source: Unpaid Invoice.9342.xls, type: SAMPLE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Unpaid Invoice.9342.xls0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
doolised.xyz0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://doolised.xyz/DSBVhsdv78f0%VirustotalBrowse
https://doolised.xyz/DSBVhsdv78f0%Avira URL Cloudsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Unpaid Invoice.9342.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    PCAP (Network Traffic)

    No yara matches

    Dropped Files

    No yara matches

    Memory Dumps

    No yara matches

    Unpacked PEs

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    47.254.171.5Invoice.No-19750.xlsGet hashmaliciousBrowse
      Invoice.No-19750.xlsGet hashmaliciousBrowse
        incoming_invoice-184.xlsGet hashmaliciousBrowse
          incoming_invoice-184.xlsGet hashmaliciousBrowse

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            doolised.xyzInvoice.No-19750.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            Invoice.No-19750.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            incoming_invoice-184.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            incoming_invoice-184.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            Invoice 048.xlsGet hashmaliciousBrowse
            • 49.51.172.149

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            unknownInvoice.No-19750.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            Invoice.No-19750.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            Xd95RAhBSw.jsGet hashmaliciousBrowse
            • 94.152.34.108
            Xd95RAhBSw.jsGet hashmaliciousBrowse
            • 94.152.34.108
            BGMiner.exeGet hashmaliciousBrowse
            • 51.15.65.182
            AMTE-0494579945809935775IMG.exeGet hashmaliciousBrowse
            • 104.28.27.51
            https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapipe.myvnc.com%2Fii%2FXZXXSE345CDC%2FBBBBBRR4444444%2F101454858.php%3Femail%3Delecsup.venturer%40maerskdrilling.com&data=02%7C01%7Celecsup.venturer%40maerskdrilling.com%7Cd2c531d9631748edbf8e08d7b080e8b5%7C9397504456ed42b3a1f10b5c1dc2e04a%7C0%7C0%7C637171940022891097&sdata=g6gYl32PZbyKbfEfLybu5fakBeCuMjH%2BuafgKXUM3oY%3D&reserved=0Get hashmaliciousBrowse
            • 101.99.90.74
            https://storage.googleapis.com/chazzz/exelaonline.htmGet hashmaliciousBrowse
            • 23.229.223.163
            http://d122whdqwqk5sz.cloudfront.net/lngy!6kbbqsxf/CyberLink_PowerDVD_17.0.2217_Ultra_.exeGet hashmaliciousBrowse
            • 46.166.187.59
            https://storage.googleapis.com/chazzz/exelaonline.htmGet hashmaliciousBrowse
            • 23.229.223.163
            https://caweb.sba.gov/clsGet hashmaliciousBrowse
            • 157.240.20.19
            DOC130219-83144.htmGet hashmaliciousBrowse
            • 88.99.66.31
            eFax_DocumentXX812X.docGet hashmaliciousBrowse
            • 217.8.117.33
            https://verschuldigdjhds6707.azurewebsites.netGet hashmaliciousBrowse
            • 185.208.211.79
            http://jv101marketing.com/wp-content/uploads/2020/02/easy/1601071/1601071.zipGet hashmaliciousBrowse
            • 46.105.201.240
            Invoice INV-09107.docmGet hashmaliciousBrowse
            • 13.107.42.12
            Invoice INV-09107.docmGet hashmaliciousBrowse
            • 192.229.221.185
            julie playback_597130220.htmlGet hashmaliciousBrowse
            • 152.199.23.37
            https://www3.mydocsonline.com/Share.aspx?-108xfbluPfDWrWhiMi6piFPzgGet hashmaliciousBrowse
            • 208.83.75.165
            http://138.68.251.50/Axisbins.shGet hashmaliciousBrowse
            • 138.68.251.50

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            7dcce5b76c8b17472d024758970a406bInvoice.No-19750.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            Invoice INV-09107.docmGet hashmaliciousBrowse
            • 47.254.171.5
            sample2.docmGet hashmaliciousBrowse
            • 47.254.171.5
            Fr. N26389.docGet hashmaliciousBrowse
            • 47.254.171.5
            incoming_invoice-184.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            Project.xlsxGet hashmaliciousBrowse
            • 47.254.171.5
            Tax Folder.docGet hashmaliciousBrowse
            • 47.254.171.5
            Get461102472.docGet hashmaliciousBrowse
            • 47.254.171.5
            Get227723192.docGet hashmaliciousBrowse
            • 47.254.171.5
            info_02_11.docGet hashmaliciousBrowse
            • 47.254.171.5
            Get338036186.docGet hashmaliciousBrowse
            • 47.254.171.5
            Invoice 048.xlsGet hashmaliciousBrowse
            • 47.254.171.5
            info_02_11.docGet hashmaliciousBrowse
            • 47.254.171.5
            info_02_11.docGet hashmaliciousBrowse
            • 47.254.171.5
            info_02_11.docGet hashmaliciousBrowse
            • 47.254.171.5
            sample2.docmGet hashmaliciousBrowse
            • 47.254.171.5
            AMZL-MME2-HS Consultant Weekly Report 33-05022020 WK06.xlsmGet hashmaliciousBrowse
            • 47.254.171.5
            AMZL-MME2-HS Consultant Weekly Report 33-05022020 WK06.xlsmGet hashmaliciousBrowse
            • 47.254.171.5
            TKU009513.docGet hashmaliciousBrowse
            • 47.254.171.5
            Payment Copy.xlsxGet hashmaliciousBrowse
            • 47.254.171.5

            Dropped Files

            No context

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.