Loading ...

Play interactive tourEdit tour

Analysis Report ZV.8802.xls

Overview

General Information

Sample Name:ZV.8802.xls
Analysis ID:299355
MD5:95176c592ec9482fa46274f0382098fd
SHA1:2646c2cd8120d25bbc41e47b03daa193007bb60d
SHA256:00a6bacbe7d5b5366acdafef7886dc22e185c12542befaf4539df2b187230278

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1960 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • explorer.exe (PID: 2488 cmdline: explorer C:\Windows\System32\cmd.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 2500 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • cmd.exe (PID: 2508 cmdline: 'C:\Windows\System32\cmd.exe' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ZV.8802.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: explorer.exe, 00000002.00000002.2105524745.0000000001D80000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2233310047.0000000001CD0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: explorer.exe, 00000002.00000002.2105524745.0000000001D80000.00000002.00000001.sdmp, explorer.exe, 00000003.00000002.2233310047.0000000001CD0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA

    System Summary:

    barindex
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: ZV.8802.xlsInitial sample: WORKSPACE
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: ZV.8802.xlsInitial sample: Sheet size: 7225
    Source: ZV.8802.xlsOLE indicator, VBA macros: true
    Source: classification engineClassification label: mal56.expl.evad.winXLS@6/6@0/0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\96EE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDF66.tmpJump to behavior
    Source: ZV.8802.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\System32\cmd.exeConsole Write: ...................J............M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.]. ./......./.....H........./.............Jump to behavior
    Source: C:\Windows\System32\cmd.exeConsole Write: ................................................d1......................8..Q............`{.J.......J............X./.............../.............Jump to behavior
    Source: C:\Windows\System32\cmd.exeConsole Write: ................................................d1......................8..Q............`{.J.......J....................~........./.............Jump to behavior
    Source: C:\Windows\System32\cmd.exeConsole Write: ................................................d1......................8..Q............`{.J.......J............X./.............../.............Jump to behavior
    Source: C:\Windows\System32\cmd.exeConsole Write: ................\..........................................................Q...............J.......J............../.............................Jump to behavior
    Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>....................J.... . J............../.....(..................J....Jump to behavior
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\explorer.exe explorer C:\Windows\System32\cmd.exe
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\explorer.exe explorer C:\Windows\System32\cmd.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F849CCE-2546-4B9F-B03E-4004781BDC40}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Windows\explorer.exe TID: 2496Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2496Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2524Thread sleep time: -60000s >= -30000sJump to behavior
    Source: explorer.exe, 00000003.00000003.2105180065.00000000003FB000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2488 base: 50000 value: 01Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2488 base: 50020 value: 9AJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEMemory written: PID: 2488 base: 7FFFFFD8368 value: 00Jump to behavior
    Source: Yara matchFile source: ZV.8802.xls, type: SAMPLE
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting21Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting21NTDSSystem Information Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 299355 Sample: ZV.8802.xls Startdate: 16/10/2020 Architecture: WINDOWS Score: 56 15 Found abnormal large hidden Excel 4.0 Macro sheet 2->15 17 Found Excel 4.0 Macro with suspicious formulas 2->17 6 EXCEL.EXE 59 25 2->6         started        9 explorer.exe 2->9         started        process3 signatures4 19 Injects code into the Windows Explorer (explorer.exe) 6->19 21 Document exploit detected (process start blacklist hit) 6->21 11 explorer.exe 6->11         started        13 cmd.exe 9->13         started        process5

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.