Source: C:\ProgramData\activex.ocx |
ReversingLabs: Detection: 15% |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png |
ReversingLabs: Detection: 15% |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: apperolew[1].png.0.dr |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe |
Jump to behavior |
Source: global traffic |
DNS query: name: www.penrithdentalimplants.com.au |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 160.153.76.195:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 160.153.76.195:443 |
Source: before.2.99.0.sheet.csv_unpack |
Macro 4.0 Deobfuscator: https://www.penrithdentalimplants.com.au/ls/apperolew.png |
Source: Joe Sandbox View |
JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FBD1845.emf |
Jump to behavior |
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: unknown |
DNS traffic detected: queries for: www.penrithdentalimplants.com.au |
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: before.2.99.0.sheet.csv_unpack |
String found in binary or memory: https://www.penrithdentalimplants.com.au/ls/apperolew.png |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49167 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49167 -> 443 |
Source: ORDER787-5.xls |
Initial sample: URLDownloadToFileA |
Source: ORDER787-5.xls |
Initial sample: URLDownloadToFileA |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Content X I FW132 - '," jR V FK FL FM FN FO FP FQ FR FS FT FU FY FIN FX FY FZ GA GB CC GO |
Source: ORDER787-5.xls |
Initial sample: Sheet size: 7889 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\ProgramData\activex.ocx |
Jump to dropped file |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory allocated: 76E20000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory allocated: 76D20000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000B826 |
4_2_1000B826 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10009C77 |
4_2_10009C77 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000BD68 |
4_2_1000BD68 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000C96E |
4_2_1000C96E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10005DD0 |
4_2_10005DD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000D667 |
4_2_1000D667 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000C2AA |
4_2_1000C2AA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000E6DC |
4_2_1000E6DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100057AA |
4_2_100057AA |
Source: ORDER787-5.xls |
OLE indicator, VBA macros: true |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: String function: 10005D6C appears 35 times |
|
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal100.expl.evad.winXLS@7/13@1/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\CFEE0000 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRDBED.tmp |
Jump to behavior |
Source: ORDER787-5.xls |
OLE indicator, Workbook stream: true |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer |
|
Source: unknown |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: ORDER787-5.xls |
Initial sample: OLE indicators encrypted = True |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc, |
4_2_100018B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10005DB1 push ecx; ret |
4_2_10005DC4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000A65E push ecx; ret |
4_2_1000A671 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_00352040 push dword ptr [edx+14h]; ret |
4_2_0035214D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_003520EA push dword ptr [edx+14h]; ret |
4_2_0035214D |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\ProgramData\activex.ocx |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\ProgramData\activex.ocx |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: ORDER787-5.xls |
Stream path 'Workbook' entropy: 7.98610242414 (max. 8.0) |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png |
Jump to dropped file |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc, |
4_2_100018B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10004844 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_10004844 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc, |
4_2_100018B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_001A0456 mov eax, dword ptr fs:[00000030h] |
4_2_001A0456 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_001A095E mov eax, dword ptr fs:[00000030h] |
4_2_001A095E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_001E1030 mov eax, dword ptr fs:[00000030h] |
4_2_001E1030 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10002AB0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, |
4_2_10002AB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10004844 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_10004844 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10005081 SetUnhandledExceptionFilter,__encode_pointer, |
4_2_10005081 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100050A3 __decode_pointer,SetUnhandledExceptionFilter, |
4_2_100050A3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_1000A672 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, |
4_2_1000A672 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100026C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_100026C4 |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_100090B2 cpuid |
4_2_100090B2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
4_2_1000E4AD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10007F84 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
4_2_10007F84 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_10002AB0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, |
4_2_10002AB0 |