Loading ...

Play interactive tourEdit tour

Analysis Report order.6105.xls

Overview

General Information

Sample Name:order.6105.xls
Analysis ID:298924
MD5:02fb17b1244402f59644dafb7647594f
SHA1:f714c6d236025c1d304f18ad921a5bec723f1136
SHA256:d07c31d0ac3a9e4c552cdc6c0aefb7c059a90129ab0c66b2400f56fd9d085831

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Contains capabilities to detect virtual machines
May sleep (evasive loops) to hinder dynamic analysis
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 856 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 2384 cmdline: explorer C:\Windows\System32\cmd.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2368 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • cmd.exe (PID: 1692 cmdline: 'C:\Windows\System32\cmd.exe' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
order.6105.xlsMAL_DOC_ZLoader_Oct20_1Detects weaponized ZLoader documentsFlorian Roth
  • 0x47e:$sc1: 78 4E FC 04 AB 6B 17 E2 33 E3 49 62 50 69 BB 60 31 00 1E 00 02 4B BA E2 D8 E3 92 22 1E 69 96 20 ...
  • 0x2334:$sc2: 6B 9E E2 36 E3 69 62 72 69 3A 60 55 6E
  • 0x2c83:$sc3: 3E 69 76 60 59 6E 34 FB 87 6B 75
order.6105.xlsgen_excel_xor_obfuscation_velvetsweatshopDetect XOR encryption (c. 2003) in Excel file formats@BouncyHat
  • 0x0:$olemarker: D0 CF 11 E0 A1 B1 1A E1 00 00 00
  • 0x214:$FilePass_XOR_Obfuscation_VelvetSweatshop: 2F 00 06 00 00 00 59 B3 0A 9A

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: explorer.exe, 00000002.00000002.2093226464.0000000001C50000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2222276153.0000000001EA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000002.00000002.2093226464.0000000001C50000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2222276153.0000000001EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA

System Summary:

barindex
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: order.6105.xlsInitial sample: WORKSPACE
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: order.6105.xlsInitial sample: Sheet size: 58238
Source: order.6105.xls, type: SAMPLEMatched rule: MAL_DOC_ZLoader_Oct20_1 date = 2020-10-10, hash3 = d268af19db475893a3d19f76be30bb063ab2ca188d1b5a70e51d260105b201da, hash2 = a2ffabbb1b5a124f462a51fee41221081345ec084d768ffe1b1ef72d555eb0a0, hash1 = 668ca7ede54664360b0a44d5e19e76beb92c19659a8dec0e7085d05528df42b5, author = Florian Roth, description = Detects weaponized ZLoader documents, reference = https://twitter.com/JohnLaTwC/status/1314602421977452544
Source: order.6105.xls, type: SAMPLEMatched rule: gen_excel_xor_obfuscation_velvetsweatshop date = 2020-10-09, hash4 = 4e40253b382b20e273edf82362f1c89e916f7ab8d3c518818a76cb6127d4e7c2, hash3 = dd3e89e7bde993f6f1b280f2bf933a5cc2797f4e8736aed4010aaf46e9854f23, hash2 = 14a32b8a504db3775e793be59d7bd5b584ea732c3ca060b2398137efbfd18d5a, hash1 = da1999c23ee2dae02a169fd2208b9766cb8f046a895f5f52bed45615eea94da0, author = @BouncyHat, description = Detect XOR encryption (c. 2003) in Excel file formats, reference0 = https://twitter.com/BouncyHat/status/1308896366782042113, reference = https://twitter.com/JohnLaTwC/status/1314602421977452544, license = https://creativecommons.org/licenses/by-nc/4.0/, contributed_by = @JohnLaTwc
Source: classification engineClassification label: mal56.expl.evad.winXLS@6/5@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\BADE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD1EE.tmpJump to behavior
Source: order.6105.xlsOLE indicator, Workbook stream: true
Source: C:\Windows\System32\cmd.exeConsole Write: ...................I............M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].P.......(.......H....... ...............Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................d1.......................RK.p...........`{.I.......I............................................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................d1.......................RK.p...........`{.I.......I....................~.......................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................d1.......................RK.p...........`{.I.......I............................................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........................................................................sVK.p..............I.......I............................................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........H..........I.... ..I....................(..................I....Jump to behavior
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe explorer C:\Windows\System32\cmd.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer C:\Windows\System32\cmd.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F849CCE-2546-4B9F-B03E-4004781BDC40}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: order.6105.xlsInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\explorer.exe TID: 2328Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2328Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2476Thread sleep time: -60000s >= -30000sJump to behavior
Source: explorer.exe, 00000003.00000003.2220493832.000000000046B000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2384 base: 50000 value: 01Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2384 base: 50020 value: 9AJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2384 base: 7FFFFFDB368 value: 00Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Information Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298924 Sample: order.6105.xls Startdate: 15/10/2020 Architecture: WINDOWS Score: 56 15 Found abnormal large hidden Excel 4.0 Macro sheet 2->15 17 Found Excel 4.0 Macro with suspicious formulas 2->17 6 EXCEL.EXE 59 24 2->6         started        9 explorer.exe 2->9         started        process3 signatures4 19 Injects code into the Windows Explorer (explorer.exe) 6->19 21 Document exploit detected (process start blacklist hit) 6->21 11 explorer.exe 6->11         started        13 cmd.exe 9->13         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.