Analysis Report INV8222874744_20210111490395.xlsm

Overview

General Information

Sample Name:	INV8222874744_20210111490395.xlsm
Analysis ID:	338363
MD5:	032734a3c93c44855955d4769b7ded98
SHA1:	f38cd18659e0fb5d862bac1d9f24691dda4a292c
SHA256:	1e66c639f157fa066c2e4070a46cb0af32548f4fba63684120513433059cd26d
Tags:	Dridexxlsm
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Dridex e-Banking trojan

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Document contains an embedded VBA macro which may execute processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Anomaly

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the installation date of Windows

Registers a DLL

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.regsvr32.exe.3a0000.2.raw.unpack

Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 30341", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 8", "59.206.114.228:65153", "255.255.255.127:5491", "15.183.20.119:53893", "15.132.203.2:0", "70.129.254.255:65535", "127.114.235.190:65535", "255.127.104.242:15033", "162.104.101.15:41265"]}

Multi AV Scanner detection for submitted file

Source: INV8222874744_20210111490395.xlsm

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 217.174.149.3:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49214 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49240 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49276 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49280 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49288 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49324 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49328 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49332 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49336 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49340 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49344 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49356 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49360 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49364 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49372 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49376 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49384 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49408 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 80.86.91.27:3308
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.100.228.233:3389
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 46.105.131.65:1512

Source: Joe Sandbox View	IP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox View	IP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox View	IP Address: 46.105.131.65 46.105.131.65

Source: Joe Sandbox View	ASN Name: SENTIANL SENTIANL
Source: Joe Sandbox View	ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37

Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: DWWIN.EXE, 00000007.00000002.2238503044.00000000004A8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: DWWIN.EXE, 00000007.00000002.2238488344.0000000000482000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enpw
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2243054454.0000000003900000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238527627.00000000004E9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2393787843.00000000020C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2243298367.0000000003EA0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2392785990.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2392840096.0000000001CC0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2238957386.0000000002310000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2393787843.00000000020C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2243298367.0000000003EA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65:1512/t
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2392699066.00000000004DF000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000004.00000002.2392699066.00000000004DF000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/7Q
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/T
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49344
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 49292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49344 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49384
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49380
Source: unknown	Network traffic detected: HTTP traffic on port 49384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49376
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49372
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49408
Source: unknown	Network traffic detected: HTTP traffic on port 49364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49404
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 49376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49364
Source: unknown	Network traffic detected: HTTP traffic on port 49408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49360
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49356
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")			Name: pagesREviewsd
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")			Name: pagesREviewsd

Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49170
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49171
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49172
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49172
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49180
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49180
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49182
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49184
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49184
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49186
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49187
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49190
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49191
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49194
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49195
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49198
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49199
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49202
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49203
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49206
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49207
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49208
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49208

Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL
Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL
Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL
Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B22A0 NtDelayExecution,	4_2_003B22A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CBE30 NtClose,	4_2_003CBE30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,	4_2_0025B780
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025BA14 NtSetInformationProcess,	4_2_0025BA14

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A5150	4_2_003A5150
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BD030	4_2_003BD030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1020	4_2_003C1020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C5CB0	4_2_003C5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BE0A0	4_2_003BE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CDCA0	4_2_003CDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C50A0	4_2_003C50A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C4CA0	4_2_003C4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B98DA	4_2_003B98DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003AACD0	4_2_003AACD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BA0D0	4_2_003BA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B88C0	4_2_003B88C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B8CC0	4_2_003B8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A1570	4_2_003A1570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B7564	4_2_003B7564
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003AF9A0	4_2_003AF9A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BC590	4_2_003BC590
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BD980	4_2_003BD980
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CD180	4_2_003CD180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C89F0	4_2_003C89F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C71F0	4_2_003C71F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BFDD0	4_2_003BFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C0220	4_2_003C0220
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CD620	4_2_003CD620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003ACA10	4_2_003ACA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CFA10	4_2_003CFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A9E70	4_2_003A9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B9E70	4_2_003B9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BA660	4_2_003BA660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C7660	4_2_003C7660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C2E60	4_2_003C2E60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1240	4_2_003C1240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B8AB0	4_2_003B8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1EB0	4_2_003C1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C26B0	4_2_003C26B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BAE80	4_2_003BAE80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BB6F0	4_2_003BB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B8EF0	4_2_003B8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C62F0	4_2_003C62F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BF6E0	4_2_003BF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A6AD0	4_2_003A6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B96D0	4_2_003B96D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CFA10	4_2_003CFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C3EC0	4_2_003C3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1730	4_2_003C1730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C9B10	4_2_003C9B10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C3B00	4_2_003C3B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B5B60	4_2_003B5B60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BBF50	4_2_003BBF50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BE3F0	4_2_003BE3F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B67C8	4_2_003B67C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B83C0	4_2_003B83C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B7FC0	4_2_003B7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C7FC0	4_2_003C7FC0

Source: INV8222874744_20210111490395.xlsm	OLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function view_1_a_Layout			Name: view_1_a_Layout

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll.
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll.
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 2456
Source: unknown	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 2456
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll.	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 2456	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll.	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 2456	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Analysis Report INV8222874744_20210111490395.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Source: INV8222874744_20210111490395.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: INV8222874744_20210111490395.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000400A push esi; retf	4_2_1000401D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010810 pushfd ; retf	4_2_1001084E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000D856 push ebp; retf	4_2_1000D85E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000E8F3 pushad ; iretd	4_2_1000E8F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10002140 push ecx; ret	4_2_100021B6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001CD9B push esp; retf	4_2_1001CDB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000C265 push 588A19FDh; iretd	4_2_1000C278
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10020A73 push edx; iretd	4_2_10020A9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000FEBF push eax; iretd	4_2_1000FEC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000FEFA push 00000000h; iretd	4_2_1000FF10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10023EFF push eax; iretd	4_2_10023F64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000C304 push 588A1BCDh; iretd	4_2_1000C314
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010307 push esp; retf	4_2_10010308
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000CF15 push 0000002Dh; iretd	4_2_1000CF1C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001DB23 push eax; iretd	4_2_1001DB34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10020B27 push eax; iretd	4_2_10020B28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000DFC7 pushad ; iretd	4_2_1000DFC8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10023FEB push edx; ret	4_2_10024001
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100107FB pushfd ; retf	4_2_1001084E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025BFB0 push edx; ret	4_2_0025C269
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00227172 push dword ptr [ebp+ecx*8-49h]; retf	4_2_00227176
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002462CD pushad ; iretd	4_2_002462E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023F6CD push esi; ret	4_2_0023F6D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0022899D push 00000369h; ret	4_2_00228A28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002289CD push 00000369h; ret	4_2_00228A28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024FB74 push esi; ret	4_2_0024FB8B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00221D11 push FFFFFFD5h; ret	4_2_00221D18
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00220E8F push esi; ret	4_2_00220E94

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2488	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -501000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -798000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -780000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -644000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -795000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -426000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -730000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -718000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -131000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -173000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -308000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -652000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -284000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -648000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -488000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -241000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -552000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -620000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -332000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -755000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -296000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -531000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -678000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -556000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -668000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -996000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -640000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -324000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -168000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -510000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -257000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -625000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -770000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -276000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -157000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -459000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -358000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -496000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -534000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -283000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -536000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -423000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -301000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -684000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -411000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -1020000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -795000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -429000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -495000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -269000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -319000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -302000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -805000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -528000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -313000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -266000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -338000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -129000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -408000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -335000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -484000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -484000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -326000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -251000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -378000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -304000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -292000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -145000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -474000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -318000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -303000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -306000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -311000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -390000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -149000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -294000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -287000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -155000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -245000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -317000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -350000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -325000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -564000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -174000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -333000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -320000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -263000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -305000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -247000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -268000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -285000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2572	Thread sleep time: -344000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE TID: 2820	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025B5D0 mov eax, dword ptr fs:[00000030h]		4_2_0025B5D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025B6E0 mov eax, dword ptr fs:[00000030h]		4_2_0025B6E0

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 80.86.91.27 236	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 5.100.228.233 61	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 46.105.131.65 232	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 77.220.64.37 187	Jump to behavior

Source: regsvr32.exe, 00000003.00000002.2392737510.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2392806725.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.2392737510.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2392806725.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.2392737510.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2392806725.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: !Progman

IP	Domain	Country	ASN	ASN Name	Malicious
217.174.149.3	unknown	Bulgaria	31083	TELEPOINTBG	false
5.100.228.233	unknown	Netherlands	8315	SENTIANL	true
80.86.91.27	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
46.105.131.65	unknown	France	16276	OVHFR	true
77.220.64.37	unknown	Italy	44160	INTERNETONEInternetServicesProviderIT	true

Name	IP	Active
media-server.skyinternet.com.pk	217.174.149.3	true
cdn.digicertcdn.com	104.18.10.39	true

ID:	338363
Product:	CloudBasic
Start time:	07:42:27
Start date:	12.01.2021
Sample:	INV8222874744_20210111490395.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	032734a3c93c44855955d4769b7ded98
SHA1:	f38cd18659e0fb5d862bac1d9f24691dda4a292c
SHA256:	1e66c639f157fa066c2e4070a46cb0af32548f4fba63684120513433059cd26d
Filetype:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%