Loading ...

Play interactive tourEdit tour

Analysis Report new invoice117.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:215946
Start date:17.03.2020
Start time:16:57:48
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:new invoice117.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.troj.expl.winXLS@1/12@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 205.185.216.42, 205.185.216.10, 8.238.36.126, 8.238.30.126, 8.241.79.254, 8.241.90.254, 8.238.34.254, 67.26.75.254, 8.241.123.126
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, apps.digsigtrust.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtReadFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Winlogon Helper DLLPort MonitorsMasquerading1Credential DumpingFile and Directory Discovery1Remote File Copy1Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesScripting1Network SniffingSystem Information Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution13Accessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy1SIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


Spreading:

barindex
Yara detected DConn With Suspicious LinkShow sources
Source: Yara matchFile source: new invoice117.xls, type: SAMPLE

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries with low reputation score)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: name: tdvomds.pw
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: tdvomds.pw
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 8.208.28.247:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 8.208.28.247:443

Networking:

barindex
Yara detected DConn With Suspicious LinkShow sources
Source: Yara matchFile source: new invoice117.xls, type: SAMPLE
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 8.208.28.247 8.208.28.247
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U08D60QK\12341324rfefv[1].htmJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: tdvomds.pw
Urls found in memory or binary dataShow sources
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: new invoice117.xlsString found in binary or memory: https://tdvomds.pw/12341324rfefv
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49158
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 443

System Summary:

barindex
Document contains embedded VBA macrosShow sources
Source: new invoice117.xlsOLE indicator, VBA macros: true
Classification labelShow sources
Source: classification engineClassification label: mal56.troj.expl.winXLS@1/12@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD270.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: new invoice117.xlsOLE indicator, Workbook stream: true
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Document has a 'comments' value indicative of goodwareShow sources
Source: new invoice117.xlsInitial sample: OLE summary comments = oqJ0PEYWUcy4aU4mnLd
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in ExcelShow sources
Source: Yara matchFile source: new invoice117.xls, type: SAMPLE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
new invoice117.xls0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
tdvomds.pw0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://tdvomds.pw/12341324rfefv0%VirustotalBrowse
https://tdvomds.pw/12341324rfefv0%Avira URL Cloudsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
new invoice117.xlsJoeSecurity_DConnWithSuspiciousLinkYara detected DConn With Suspicious LinkJoe Security
    new invoice117.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

      PCAP (Network Traffic)

      No yara matches

      Dropped Files

      No yara matches

      Memory Dumps

      No yara matches

      Unpacked PEs

      No yara matches

      Sigma Overview

      No Sigma rule has matched

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      8.208.28.247Invoice-3285.xlsGet hashmaliciousBrowse
        invoice 4361.xlsGet hashmaliciousBrowse
          invoice-id.00416.xlsGet hashmaliciousBrowse
            INV329778.xlsGet hashmaliciousBrowse
              incoming_invoice.18751.xlsGet hashmaliciousBrowse
                Invoice.ID_9097.xlsGet hashmaliciousBrowse
                  unpaid_invoice8377.xlsGet hashmaliciousBrowse
                    unpaid_invoice8377.xlsGet hashmaliciousBrowse
                      INV.47882.xlsGet hashmaliciousBrowse
                        INV.47882.xlsGet hashmaliciousBrowse
                          New-Invoice 404.xlsGet hashmaliciousBrowse
                            invoice No.4510.xlsGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              tdvomds.pwInvoice-3285.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              invoice 4361.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              invoice-id.00416.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              INV329778.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              incoming_invoice.18751.xlsGet hashmaliciousBrowse
                              • 8.208.28.247

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              unknownInvoice-3285.xlsGet hashmaliciousBrowse
                              • 52.114.132.20
                              -#U2709-Wearesfg-Expense-Reimbursement-202003.htmGet hashmaliciousBrowse
                              • 178.159.36.161
                              http://o.splashmath.com/ls/click?upn=lovfhPxRU35r-2BMynmMkw5usWK-2BsqomzTTJ4udqNRqV-2BtOn1DMkPQXKQkGAqkvp55lxIIGgemJQFBj0n52jY4K-2FEmr8bO6tdZFRBN0rKNfcw-3DjZFz_m1-2B5T0y9KKTFwH14HcV3J8FRFrLJHtDizoK8EPwT87tliE17VL17ZmBTQVll24D8Xq5DhVdP7V7pQBra09EfXAOhzUpu9AFYpfJW7OkN60pL2NhDUfehjXZPlE0QA2t06MJmT1GzdlFqLFw97ZbIfRv9vzhVYCZqxEoI4HKYr45cqPJpjDyFn7FG8OtCtZe5O0y5AsawGX3dwDEOrVj8Aj-2FIdX2uG8tUw5MZpIbAwjo-3DGet hashmaliciousBrowse
                              • 151.101.12.193
                              Invoice-3285.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              https://garywang.me/DBB/CSSGet hashmaliciousBrowse
                              • 162.241.174.123
                              Info_181338267653.docGet hashmaliciousBrowse
                              • 185.216.35.10
                              https://bit.ly/2wdSvjbGet hashmaliciousBrowse
                              • 67.199.248.11
                              https://www.nch.com.au/components/zipsetup.exeGet hashmaliciousBrowse
                              • 23.235.214.26
                              Info_181338267653.docGet hashmaliciousBrowse
                              • 52.114.76.34
                              Info_181338267653.docGet hashmaliciousBrowse
                              • 185.216.35.10
                              https://my.su/g5nm4?idtrack=psHWI2WzGet hashmaliciousBrowse
                              • 94.130.66.14
                              Adobe_Flash_2020-0.apkGet hashmaliciousBrowse
                              • 216.58.201.99
                              https://bit.ly/2wdSvjbGet hashmaliciousBrowse
                              • 67.199.248.10
                              invoice 4361.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              Adobe_Flash_2020.apkGet hashmaliciousBrowse
                              • 216.58.201.99
                              invoice-id.00416.xlsGet hashmaliciousBrowse
                              • 52.114.7.37
                              invoice-id.00416.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              INV329778.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              Adobe_Flash_2020-2.apkGet hashmaliciousBrowse
                              • 216.58.201.99
                              incoming_invoice.18751.xlsGet hashmaliciousBrowse
                              • 8.208.28.247

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              7dcce5b76c8b17472d024758970a406bInvoice-3285.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              invoice 4361.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              invoice-id.00416.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              INV329778.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              incoming_invoice.18751.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              Invoice.ID_9097.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              Court-Order-Form-2761810.docGet hashmaliciousBrowse
                              • 8.208.28.247
                              unpaid_invoice8377.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              unpaid_invoice8377.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              INV.47882.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              INV.47882.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              bad.docGet hashmaliciousBrowse
                              • 8.208.28.247
                              bad.docGet hashmaliciousBrowse
                              • 8.208.28.247
                              New-Invoice 404.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              invoice No.4510.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              certid12245UK.docxGet hashmaliciousBrowse
                              • 8.208.28.247
                              Resume.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              Invoice-ID-6380.xlsGet hashmaliciousBrowse
                              • 8.208.28.247
                              microstub.exeGet hashmaliciousBrowse
                              • 8.208.28.247
                              Inv.749.xlsGet hashmaliciousBrowse
                              • 8.208.28.247

                              Dropped Files

                              No context

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.