Analysis Report ORDER787-5.xls

Overview

General Information

Sample Name: ORDER787-5.xls
Analysis ID: 336129
MD5: 1d97c6cb50c4107498e4f0e76f539f0c
SHA1: a4dc090837c76aed324bea19c9f62e2d47bb7bc8
SHA256: 1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4
Tags: Trickbotxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found malicious URLs in unpacked macro 4.0 sheet
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\activex.ocx ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png ReversingLabs: Detection: 15%

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: apperolew[1].png.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.penrithdentalimplants.com.au
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 160.153.76.195:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 160.153.76.195:443

Networking:

barindex
Found malicious URLs in unpacked macro 4.0 sheet
Source: before.2.99.0.sheet.csv_unpack Macro 4.0 Deobfuscator: https://www.penrithdentalimplants.com.au/ls/apperolew.png
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FBD1845.emf Jump to behavior
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.penrithdentalimplants.com.au
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2115864154.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114786564.0000000002087000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: before.2.99.0.sheet.csv_unpack String found in binary or memory: https://www.penrithdentalimplants.com.au/ls/apperolew.png
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: ORDER787-5.xls Initial sample: URLDownloadToFileA
Source: ORDER787-5.xls Initial sample: URLDownloadToFileA
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Content X I FW132 - '," jR V FK FL FM FN FO FP FQ FR FS FT FU FY FIN FX FY FZ GA GB CC GO
Found Excel 4.0 Macro with suspicious formulas
Source: ORDER787-5.xls Initial sample: CALL
Source: ORDER787-5.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: ORDER787-5.xls Initial sample: Sheet size: 7889
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ProgramData\activex.ocx Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000B826 4_2_1000B826
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10009C77 4_2_10009C77
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000BD68 4_2_1000BD68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000C96E 4_2_1000C96E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10005DD0 4_2_10005DD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000D667 4_2_1000D667
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000C2AA 4_2_1000C2AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000E6DC 4_2_1000E6DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100057AA 4_2_100057AA
Document contains embedded VBA macros
Source: ORDER787-5.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10005D6C appears 35 times
Source: rundll32.exe, 00000003.00000002.2115627989.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114348726.0000000001EA0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.expl.evad.winXLS@7/13@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\CFEE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDBED.tmp Jump to behavior
Source: ORDER787-5.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ORDER787-5.xls Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc, 4_2_100018B0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10005DB1 push ecx; ret 4_2_10005DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000A65E push ecx; ret 4_2_1000A671
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00352040 push dword ptr [edx+14h]; ret 4_2_0035214D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003520EA push dword ptr [edx+14h]; ret 4_2_0035214D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ProgramData\activex.ocx Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ProgramData\activex.ocx Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: ORDER787-5.xls Stream path 'Workbook' entropy: 7.98610242414 (max. 8.0)

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\apperolew[1].png Jump to dropped file

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc, 4_2_100018B0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10004844 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_10004844
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100018B0 DllRegisterServer,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc, 4_2_100018B0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A0456 mov eax, dword ptr fs:[00000030h] 4_2_001A0456
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A095E mov eax, dword ptr fs:[00000030h] 4_2_001A095E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001E1030 mov eax, dword ptr fs:[00000030h] 4_2_001E1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002AB0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 4_2_10002AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10004844 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_10004844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10005081 SetUnhandledExceptionFilter,__encode_pointer, 4_2_10005081
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100050A3 __decode_pointer,SetUnhandledExceptionFilter, 4_2_100050A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000A672 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 4_2_1000A672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100026C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_100026C4

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\ProgramData\activex.ocx, DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100090B2 cpuid 4_2_100090B2
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_1000E4AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10007F84 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_10007F84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002AB0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 4_2_10002AB0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336129 Sample: ORDER787-5.xls Startdate: 05/01/2021 Architecture: WINDOWS Score: 100 27 Multi AV Scanner detection for dropped file 2->27 29 Found malicious Excel 4.0 Macro 2->29 31 Document exploit detected (drops PE files) 2->31 33 6 other signatures 2->33 8 EXCEL.EXE 225 58 2->8         started        process3 dnsIp4 23 penrithdentalimplants.com.au 160.153.76.195, 443, 49167 AS-26496-GO-DADDY-COM-LLCUS United States 8->23 25 www.penrithdentalimplants.com.au 8->25 19 C:\Users\user\AppData\...\apperolew[1].png, PE32 8->19 dropped 21 C:\ProgramData\activex.ocx, PE32 8->21 dropped 35 Document exploit detected (process start blacklist hit) 8->35 37 Document exploit detected (UrlDownloadToFile) 8->37 13 rundll32.exe 8->13         started        file5 signatures6 process7 process8 15 rundll32.exe 13->15         started        process9 17 wermgr.exe 15->17         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
160.153.76.195
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS false

Contacted Domains

Name IP Active
penrithdentalimplants.com.au 160.153.76.195 true
www.penrithdentalimplants.com.au unknown unknown