Loading ...

Play interactive tourEdit tour

Analysis Report http://haslundalsted.dk/khflc.html

Overview

General Information

Sample URL:http://haslundalsted.dk/khflc.html

Most interesting Screenshot:

Detection

Phisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Phisher
Potential browser exploit detected (process start blacklist hit)

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 5472 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5520 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5472 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • EXCEL.EXE (PID: 4380 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\587_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' MD5: D672D26C85AEB9536B9736BF04054969)
    • EXCEL.EXE (PID: 3276 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\994_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' MD5: D672D26C85AEB9536B9736BF04054969)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\khflc[1].htmJoeSecurity_Phisher_2Yara detected PhisherJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected PhisherShow sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\khflc[1].htm, type: DROPPED

    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to behavior

    Source: global trafficHTTP traffic detected: GET /khflc.html HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: haslundalsted.dkConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: haslundalsted.dkConnection: Keep-Alive
    Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x43fdec73,0x01d649d5</date><accdate>0x43fdec73,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x43fdec73,0x01d649d5</date><accdate>0x4400ad8a,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4405980c,0x01d649d5</date><accdate>0x4405980c,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4405980c,0x01d649d5</date><accdate>0x4407fb4d,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4407fb4d,0x01d649d5</date><accdate>0x4407fb4d,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4407fb4d,0x01d649d5</date><accdate>0x440abd17,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: haslundalsted.dk
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/7.0X-Powered-By: ASP.NETMicrosoftOfficeWebServer: 5.0_PubMS-Author-Via: MS-FP/4.0Date: Tue, 23 Jun 2020 18:11:46 GMTContent-Length: 5176Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 37 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 43 42 45 31 45 46 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 34 30 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 20 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 45 44 45 44 45 44 3b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 23 45 44 45 44 45 44 3b 62 6f
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.dr, ~DF93752745EF3C82EC.TMP.1.drString found in binary or memory: http://haslundalsted.dk/khflc.html
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: http://haslundalsted.dk/khflc.htmlDhttp://has.com/d/yflr8295gsd6/Root
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: http://haslundalsted.dk/khflc.htmlDhttp://has.com/d/yflr8295gsd6/index.phpRoot
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: http://haslundalsted.dk/khflc.htmlDhttp://hasRoot
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: http://haslundalsted.dk/khflc.htmlDhttp://haslundalsted.dk/khflc.html
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: http://haslundalsted.dk/khflc.htmlRoot
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: http://haslundalsted.dk/khflc.htmlf
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
    Source: KFOmCnqEu92Fr1Mu4mxP[1].ttf.2.dr, KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf.2.dr, KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: msapplication.xml2.1.drString found in binary or memory: http://www.google.com/
    Source: msapplication.xml3.1.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml4.1.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml5.1.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml6.1.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml7.1.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml8.1.drString found in binary or memory: http://www.youtube.com/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.aadrm.com/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.onedrive.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://augloop.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: yflr8295gsd6[1].htm.2.drString found in binary or memory: https://cdn-production-opera-website.operacdn.com/staticfiles/CACHE/css/output.38608e5b7ba6.css
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://cdn.entity.
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://clients.config.office.net/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://config.edge.skype.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://cr.office.com
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: https://d1.dropboxccdn
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.dr, khflc[1].htm.2.dr, ~DF93752745EF3C82EC.TMP.1.drString found in binary or memory: https://d1.dropboxccdn.com/d/yflr8295gsd6/
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.dr, ~DF93752745EF3C82EC.TMP.1.drString found in binary or memory: https://d1.dropboxccdn.com/d/yflr8295gsd6/index.php
    Source: ~DF93752745EF3C82EC.TMP.1.drString found in binary or memory: https://d1.dropboxccdn.com/d/yflr8295gsd6/v
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: https://d1.dropboxccdnk/khflc.htmlf
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#localhost_support
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://devnull.onenote.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://directory.services.
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://graph.windows.net
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://graph.windows.net/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://lifecycle.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://login.microsoftonline.com/common
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://login.windows.local
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://management.azure.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://management.azure.com/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://messaging.office.com/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://officeapps.live.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://onedrive.live.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://powerlift.acompli.net
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://settings.outlook.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha#6262736
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha/#6175971
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://tasks.office.com
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://www.google.com/recaptcha/
    Source: yflr8295gsd6[1].htm.2.drString found in binary or memory: https://www.google.com/recaptcha/api.js?render=6LfuZKgZAAAAAILyDi5it5oRrI3OYfzFgBzjq85W
    Source: {6DDF54B2-B5C8-11EA-AAE6-44C1B3FB757B}.dat.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfuZKgZAAAAAILyDi5it5oRrI3OYfzFgBzjq85W&co=aHR0
    Source: anchor[1].htm0.2.dr, anchor[1].htm.2.drString found in binary or memory: https://www.google.com:443/recaptcha/
    Source: webworker[2].js.2.dr, api[1].js0.2.dr, anchor[1].htm0.2.dr, anchor[1].htm.2.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/oqtdXEs9TE9ZUAIhXNz5JBt_/recaptcha__en.js
    Source: anchor[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/oqtdXEs9TE9ZUAIhXNz5JBt_/styles__ltr.css
    Source: 17486014-2387-4A05-A0D8-5AC09ED5F6A3.5.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

    Source: classification engineClassification label: mal48.phis.win@7/54@4/2
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6DDF54B0-B5C8-11EA-AAE6-44C1B3FB757B}.datJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF775C270B5A1D0F04.TMPJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5472 CREDAT:17410 /prefetch:2
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\587_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls'
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\994_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls'
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5472 CREDAT:17410 /prefetch:2Jump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\587_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls'Jump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\994_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls'Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingProcess Discovery1Remote File Copy3Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy3SIM Card SwapPremium SMS Toll Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.