Loading ...

Play interactive tourEdit tour

Analysis Report NC.4131.xls

Overview

General Information

Sample Name:NC.4131.xls
Analysis ID:289223
MD5:8f2af217779d1acec90e3e856efc5efc
SHA1:04ceb177c820ece5fe88280426ae30f94502d311
SHA256:b371062b3d16dfa3ab5d0af274973f71a0fbc4f3dbb0ad55680c519facb0c059

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Microsoft Office drops suspicious files
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1144 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 2364 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\AOIK9.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 2516 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2332 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2472 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\AOIK9.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 2504 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2316 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Office product drops script at suspicious locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1144, TargetFilename: C:\Users\user\AppData\Local\Temp\AOIK9.vbs

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://dortome.net/wp-touch.phpAvira URL Cloud: Label: malware
Source: https://digitalseven.net.co/wp-touch.php#Avira URL Cloud: Label: malware
Source: https://cirabelcr6dito.com/wp-touch.phpAvira URL Cloud: Label: malware
Source: https://cirabelcr6dito.com/wp-touch.php:Avira URL Cloud: Label: malware
Source: https://digitalseven.net.co/wp-touch.phpAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: chuguadventures.co.tzVirustotal: Detection: 6%Perma Link
Source: https://dortome.net/wp-touch.phpVirustotal: Detection: 11%Perma Link
Source: https://digitalseven.net.co/wp-touch.php#Virustotal: Detection: 11%Perma Link
Source: https://cirabelcr6dito.com/wp-touch.phpVirustotal: Detection: 12%Perma Link
Source: https://chuguadventures.co.tz/wp-touch.phpVirustotal: Detection: 6%Perma Link
Source: https://digitalseven.net.co/wp-touch.phpVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: NC.4131.xlsVirustotal: Detection: 15%Perma Link

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\AOIK9.vbsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbsJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: global trafficDNS query: name: chuguadventures.co.tz
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.81.249.5:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.81.249.5:443

Networking:

barindex
Potential malicious VBS script found (has network functionality)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: x0NU.Openx0NU.Type = 1x0NU.Write AKuBvCSN.ResponseBodyJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: x0NU.Openx0NU.Type = 1x0NU.Write AKuBvCSN.ResponseBodyJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: x0NU.SaveToFile "C:\Users\user\AppData\Local\Temp\eMun5w.html",2x0NU.CloseExit ForEnd IfNextJump to dropped file
Source: Joe Sandbox ViewIP Address: 192.81.249.5 192.81.249.5
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: unknownDNS traffic detected: queries for: chuguadventures.co.tz
Source: explorer.exe, 00000002.00000002.2085665427.0000000001C80000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2212848519.0000000001C00000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2092192136.0000000001CE0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2219233226.0000000001C80000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000003.00000002.2214027363.0000000002920000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.2085654504.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000002.00000002.2085665427.0000000001C80000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2212848519.0000000001C00000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2092192136.0000000001CE0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2219233226.0000000001C80000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: wscript.exe, 00000007.00000002.2107363097.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: wscript.exe, 00000007.00000002.2103125795.0000000000416000.00000004.00000001.sdmpString found in binary or memory: https://chuguadventures.co.tz/wp-touch.php
Source: wscript.exe, 00000007.00000002.2103079304.000000000033C000.00000004.00000001.sdmpString found in binary or memory: https://chuguadventures.co.tz/wp-touch.php=
Source: wscript.exe, 00000007.00000002.2103079304.000000000033C000.00000004.00000001.sdmpString found in binary or memory: https://chuguadventures.co.tz/wp-touch.phpfq
Source: wscript.exe, 00000007.00000002.2103125795.0000000000416000.00000004.00000001.sdmpString found in binary or memory: https://cirabelcr6dito.com/wp-touch.php
Source: wscript.exe, 00000007.00000002.2103079304.000000000033C000.00000004.00000001.sdmpString found in binary or memory: https://cirabelcr6dito.com/wp-touch.php:
Source: wscript.exe, 00000007.00000002.2103125795.0000000000416000.00000004.00000001.sdmpString found in binary or memory: https://digitalseven.net.co/wp-touch.php
Source: wscript.exe, 00000007.00000002.2103079304.000000000033C000.00000004.00000001.sdmpString found in binary or memory: https://digitalseven.net.co/wp-touch.php#
Source: wscript.exe, 00000007.00000002.2103125795.0000000000416000.00000004.00000001.sdmpString found in binary or memory: https://dortome.net/wp-touch.php
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" button from the yellow bar above. ,, Once You have enabled editing, please click "E
Source: Screenshot number: 4Screenshot OCR: Enable Content" button. 13 14 15 16 " 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: NC.4131.xlsInitial sample: WORKSPACE
Microsoft Office drops suspicious filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\AOIK9.vbsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbsJump to behavior
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: PQPA = Array(VfXnSKQ,QFmoB9L,gIsxz,ODxSe)Dim AKuBvCSN: Set AKuBvCSN = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: PQPA = Array(VfXnSKQ,QFmoB9L,gIsxz,ODxSe)Dim AKuBvCSN: Set AKuBvCSN = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: PQPA = Array(VfXnSKQ,QFmoB9L,gIsxz,ODxSe)Dim AKuBvCSN: Set AKuBvCSN = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: PQPA = Array(VfXnSKQ,QFmoB9L,gIsxz,ODxSe)Dim AKuBvCSN: Set AKuBvCSN = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: PQPA = Array(VfXnSKQ,QFmoB9L,gIsxz,ODxSe)Dim AKuBvCSN: Set AKuBvCSN = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: PQPA = Array(VfXnSKQ,QFmoB9L,gIsxz,ODxSe)Dim AKuBvCSN: Set AKuBvCSN = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: NC.4131.xlsOLE indicator, VBA macros: true
Source: classification engineClassification label: mal100.expl.evad.winXLS@11/8@2/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\0BCE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC2B2.tmpJump to behavior
Source: NC.4131.xlsOLE indicator, Workbook stream: true
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\AOIK9.vbs
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: NC.4131.xlsVirustotal: Detection: 15%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\AOIK9.vbs
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\AOIK9.vbs'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbs
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbs'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\AOIK9.vbsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbsJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\AOIK9.vbs' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\lR5ZHrU.vbs' Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\explorer.exe TID: 2336Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2336Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2420Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2508Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2508Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2624Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2752Thread sleep time: -60000s >= -30000sJump to behavior
Source: explorer.exe, 00000006.00000003.2091355779.000000000046A000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 192.81.249.5 187Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2364 base: 50000 value: 01Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2364 base: 50020 value: 9AJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2364 base: 7FFFFFDD368 value: 00Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2516 base: 50000 value: 01Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2516 base: 50020 value: 9AJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2516 base: 7FFFFFDF368 value: 00Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting321Path InterceptionProcess Injection21Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection21NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting321LSA SecretsSystem Information Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet