Analysis Report Inv0209966048-20210111075675.xls

Overview

General Information

Sample Name:	Inv0209966048-20210111075675.xls
Analysis ID:	338362
MD5:	91baa6aad9201c0ccf3553a5b49eb967
SHA1:	9c182826d5dc041970f31a8d584580f870c3996c
SHA256:	01af3b5c1e2ed68272f542233aece70269a9e977815347a4b9c86bb2d97c086e
Tags:	Dridexxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Dridex e-Banking trojan

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Document contains an embedded VBA macro which may execute processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Anomaly

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the installation date of Windows

Registers a DLL

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.regsvr32.exe.590000.1.raw.unpack

Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}

Multi AV Scanner detection for submitted file

Source: Inv0209966048-20210111075675.xls	Virustotal: Detection: 45%	Perma Link
Source: Inv0209966048-20210111075675.xls	Metadefender: Detection: 16%	Perma Link
Source: Inv0209966048-20210111075675.xls	ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lwjmdgav.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\w80l82r[1].zip	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 104.27.153.52:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49238 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49250 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49270 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49294 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49314 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49318 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49326 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49330 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49334 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49338 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49342 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49346 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49354 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49358 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49406 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49410 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 80.86.91.27:3308
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 5.100.228.233:3389
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 46.105.131.65:1512

Source: Joe Sandbox View	IP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox View	IP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox View	IP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox View	IP Address: 77.220.64.37 77.220.64.37

Source: Joe Sandbox View	ASN Name: SENTIANL SENTIANL
Source: Joe Sandbox View	ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37

Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261028499.000000000369D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000003.2205271774.00000000003D0000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261028499.000000000369D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2409391868.0000000002390000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261214468.0000000004000000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2406957167.0000000001D90000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2407102495.00000000009A0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2257019838.00000000024C0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2409391868.0000000002390000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261214468.0000000004000000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65/
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65:1512/an
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233/=
Source: regsvr32.exe, 00000004.00000003.2205277449.00000000003DD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000004.00000002.2406908102.000000000033F000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/H
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/In
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/in
Source: regsvr32.exe, 00000004.00000002.2406908102.000000000033F000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/o
Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/-39;
Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/0;
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://80.86.91.27:3308/TATE
Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmp	String found in binary or memory: https://80.86.91.27:3308/XPRE
Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49342
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49342 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49338
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49290
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49406 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 49370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49382
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49378
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49410
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49374
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49370
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49406
Source: unknown	Network traffic detected: HTTP traffic on port 49410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49366
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49362
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49358
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")			Name: pagesREviewsd
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")			Name: pagesREviewsd

Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49166
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49168
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49171
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49172
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49180
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49184
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49187
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49191
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49195
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49199
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49203
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205

Source: Inv0209966048-20210111075675.xls	Initial sample: CALL
Source: Inv0209966048-20210111075675.xls	Initial sample: CALL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\lwjmdgav.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\w80l82r[1].zip			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A22A0 NtDelayExecution,		4_2_008A22A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008BBE30 NtClose,		4_2_008BBE30

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00895150	4_2_00895150
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AE0A0	4_2_008AE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008BDCA0	4_2_008BDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B50A0	4_2_008B50A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B4CA0	4_2_008B4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B5CB0	4_2_008B5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A88C0	4_2_008A88C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A8CC0	4_2_008A8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A98DA	4_2_008A98DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0089ACD0	4_2_0089ACD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AA0D0	4_2_008AA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B1020	4_2_008B1020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AD030	4_2_008AD030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AD980	4_2_008AD980
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008BD180	4_2_008BD180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AC590	4_2_008AC590
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0089F9A0	4_2_0089F9A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AFDD0	4_2_008AFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B89F0	4_2_008B89F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B71F0	4_2_008B71F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A7564	4_2_008A7564
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00891570	4_2_00891570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AAE80	4_2_008AAE80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A8AB0	4_2_008A8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B1EB0	4_2_008B1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B26B0	4_2_008B26B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B3EC0	4_2_008B3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008BFA10	4_2_008BFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00896AD0	4_2_00896AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A96D0	4_2_008A96D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AF6E0	4_2_008AF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AB6F0	4_2_008AB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A8EF0	4_2_008A8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B62F0	4_2_008B62F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0089CA10	4_2_0089CA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008BFA10	4_2_008BFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B0220	4_2_008B0220
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008BD620	4_2_008BD620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B1240	4_2_008B1240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AA660	4_2_008AA660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B7660	4_2_008B7660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B2E60	4_2_008B2E60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00899E70	4_2_00899E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A9E70	4_2_008A9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A67C8	4_2_008A67C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A83C0	4_2_008A83C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A7FC0	4_2_008A7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B7FC0	4_2_008B7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008AE3F0	4_2_008AE3F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B3B00	4_2_008B3B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B9B10	4_2_008B9B10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008B1730	4_2_008B1730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008ABF50	4_2_008ABF50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_008A5B60	4_2_008A5B60

Source: Inv0209966048-20210111075675.xls	OLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function view_1_a_Layout			Name: view_1_a_Layout

Source: w80l82r[1].zip.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: w80l82r[1].zip.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: w80l82r[1].zip.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: w80l82r[1].zip.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lwjmdgav.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lwjmdgav.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lwjmdgav.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lwjmdgav.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll.
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll.
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1488
Source: unknown	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1488
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll.	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1488	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll.	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1488	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Analysis Report Inv0209966048-20210111075675.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Source: w80l82r[1].zip.0.dr	Static PE information: section name: .rdata3
Source: w80l82r[1].zip.0.dr	Static PE information: section name: .2
Source: w80l82r[1].zip.0.dr	Static PE information: section name: .rdata2
Source: w80l82r[1].zip.0.dr	Static PE information: section name: .text4
Source: lwjmdgav.dll.0.dr	Static PE information: section name: .rdata3
Source: lwjmdgav.dll.0.dr	Static PE information: section name: .2
Source: lwjmdgav.dll.0.dr	Static PE information: section name: .rdata2
Source: lwjmdgav.dll.0.dr	Static PE information: section name: .text4

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000400A push esi; retf	4_2_1000401D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010810 pushfd ; retf	4_2_1001084E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000D856 push ebp; retf	4_2_1000D85E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000E8F3 pushad ; iretd	4_2_1000E8F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10002140 push ecx; ret	4_2_100021B6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001CD9B push esp; retf	4_2_1001CDB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000C265 push 588A19FDh; iretd	4_2_1000C278
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10020A73 push edx; iretd	4_2_10020A9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000FEBF push eax; iretd	4_2_1000FEC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000FEFA push 00000000h; iretd	4_2_1000FF10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10023EFF push eax; iretd	4_2_10023F64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000C304 push 588A1BCDh; iretd	4_2_1000C314
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010307 push esp; retf	4_2_10010308
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000CF15 push 0000002Dh; iretd	4_2_1000CF1C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001DB23 push eax; iretd	4_2_1001DB34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10020B27 push eax; iretd	4_2_10020B28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000DFC7 pushad ; iretd	4_2_1000DFC8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10023FEB push edx; ret	4_2_10024001
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100107FB pushfd ; retf	4_2_1001084E

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2932	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -405000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -528000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -334000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -337000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -417000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -638000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -396000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -705000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -279000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -698000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -1036000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -507000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -602000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -348000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -917000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -684000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -486000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -278000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -804000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -513000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -692000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -304000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -1120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -744000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -326000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -532000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -358000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -318000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -468000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -316000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -272000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -642000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -715000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -411000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -314000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -153000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -588000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -525000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -292000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -310000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -712000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -290000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -477000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -453000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -351000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -512000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -608000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -292000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -327000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -532000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -552000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -568000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -650000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -488000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -331000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -387000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -265000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -320000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -512000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -604000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -483000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -322000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -245000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -332000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -263000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -516000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -375000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -356000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -353000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -157000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -341000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -1002000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -616000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -296000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -121000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -149000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -242000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -287000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -248000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -315000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -170000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -305000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -329000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -272000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -298000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -333000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 912	Thread sleep time: -283000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE TID: 2464	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 80.86.91.27 236	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 5.100.228.233 61	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 46.105.131.65 232	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 77.220.64.37 187	Jump to behavior

Source: regsvr32.exe, 00000003.00000002.2406916766.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2408754129.0000000000F90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.2406916766.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2408754129.0000000000F90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.2406916766.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2408754129.0000000000F90000.00000002.00000001.sdmp	Binary or memory string: !Progman

IP	Domain	Country	ASN	ASN Name	Malicious
5.100.228.233	unknown	Netherlands	8315	SENTIANL	true
80.86.91.27	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
46.105.131.65	unknown	France	16276	OVHFR	true
104.27.153.52	unknown	United States	13335	CLOUDFLARENETUS	false
77.220.64.37	unknown	Italy	44160	INTERNETONEInternetServicesProviderIT	true

Name	IP	Active
education.scrollx.in	104.27.153.52	true
cdn.digicertcdn.com	104.18.11.39	true

ID:	338362
Product:	CloudBasic
Start time:	07:38:42
Start date:	12.01.2021
Sample:	Inv0209966048-20210111075675.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	91baa6aad9201c0ccf3553a5b49eb967
SHA1:	9c182826d5dc041970f31a8d584580f870c3996c
SHA256:	01af3b5c1e2ed68272f542233aece70269a9e977815347a4b9c86bb2d97c086e
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	data	E4A68AC854AC5242460AFD72481B2A44	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	data	AEC41C62F344451AF6BE3D04A4AD3094	A890D05906731612A72AB63F90B0B9F0D16BA047	3F0E01BBF2031B41F0601EFD45730346E529CB6CEE6F92959EEC94F277EC34A0
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	26C0ED9FA0004EB0BFEB3AEE6533A372	D849F27AFE0DF2D0E72731A32EA80BC4B47EAF86	8F3FD30E7B20189BCAD9C1BC7D1DF5B9840DD1EF4F65010631A0D31A73208B9D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\w80l82r[1].zip	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	597B02A17B8C012E25FA0A668004163B	424A6F131D5C765EFDB28E5CAAE5FE2834A82BB0	E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FECA1BF.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	40550DC2F9D56285FA529159B8F2C6A5	DD81D41D283D2881BEC77E00D773C7E8C0744DA3	DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_EXCEL.EXE_6f227b18f49da44a2d1889aa10939f535bdc_0bd2ab0e\Report.wer	data	09ED45F1BA180F7C4BDDCCFA2421196B	CB7694D9A8C328754E2429EDA921C470501C1A4A	A3DBC50E1A6C991DD5DB447B5F0FD0E1190ED0D7BC2F293EB48D40482AF232DE
C:\Users\user\AppData\Local\Temp\050F0000	data	DA02AD566D93F2D945AC338963991BC5	4063109EE9F53A1861E52F7AFA3F1C5D6C73097A	ECF16677D55711C79661EFF5BAC0BF3E15FEB1AF8253F949745F1B05B6F6F6E2
C:\Users\user\AppData\Local\Temp\1008733.cvr	data	C23C2CB0AC8870BA2D7A92D96A5C3420	93FE60278681E0D0C176645B609A24BC62B1FCE9	2088A32187446B5C244EC82A7055CAD344C1F2E7ED2FD6E73BB3E40B1CC1A67A
C:\Users\user\AppData\Local\Temp\Cab35C0.tmp	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd	data	79ACF2719DAC45A44EDF4D3DCA6AB037	1F88A4B82DAF8ED65839BA35BAC0E149CBDC371F	026D105273980DB35AF04B25470B59480B09F204229B76FBD12541E7CD588388
C:\Users\user\AppData\Local\Temp\Tar35C1.tmp	data	D0682A3C344DFC62FB18D5A539F81F61	09D3E9B899785DA377DF2518C6175D70CCF9DA33	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\AppData\Local\Temp\WER4960.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	FA8FD1AB99C64263B25A5078306E7258	3F60633349BCDA67D767B24FE6546F3C964928A5	712A58072649026F50E8B0D1B5A85CDFFD1007D06B75FA4EC371BE62B7D39AFE
C:\Users\user\AppData\Local\Temp\lwjmdgav.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	597B02A17B8C012E25FA0A668004163B	424A6F131D5C765EFDB28E5CAAE5FE2834A82BB0	E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 12 14:40:00 2021, atime=Tue Jan 12 14:40:00 2021, length=8192, window=hide	7D2E1392D21BFDB63A02967DAF8F3EA1	B6372166FBA7F4D23C48D0B525871B2CFAE591EA	68A16DBEB58774F7E0B5BEF3EA7B9A2BB54AF9EB844D83A83E7EE971822FF450
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Inv0209966048-20210111075675.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Tue Jan 12 14:40:00 2021, atime=Tue Jan 12 14:40:08 2021, length=116736, window=hide	8AA71395F36DD05D7F678BDDFE5E0F85	5F1CF53E665E4A8E68E7E989BCDFE7242172E5CD	9C8EF792AF8253F0D968B1F7524E7BF7096AB230916E36FA256E9D540969C6F5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	5CE2708381A90ED1D526BE053A53D751	A954E918482248CC0536EBE0CFA342BA6FB1AD2B	1A300C84B22416BF6CB9056F99C0B14D664513A9EF079AAF8FC3000D70063485
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZEL5A6R0.txt	ASCII text	5BDB156BC8D2594BFF328E256D968F80	8ACFD6C11D2E7CFF78EFC39B84AE79141C57B568	DAE9AA8B5A1AF68AAFF70D8E1045447B2AA05154C57F6BF27581996CA9FB3DD0