Analysis Report sample20210113-01.xlsm

Overview

General Information

Sample Name: sample20210113-01.xlsm
Analysis ID: 339173
MD5: b777540ad31de24618cb9818debb2fd4
SHA1: 6e18fab506aefe0e1d1bdbb7bf61963075a4db61
SHA256: 39c47b42df4d66fe9b9e4cb03f486a6a8a11770010dd6537c55d2899b2e2021a
Tags: Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.regsvr32.exe.bf0000.0.raw.unpack Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 3", "221.126.244.72:443", "195.231.69.151:3889", "157.7.166.26:5353"]}
Multi AV Scanner detection for domain / URL
Source: http://bipolarmalta.mccarthy.ws/lpxtpiw.zip Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: sample20210113-01.xlsm Virustotal: Detection: 25% Perma Link
Source: sample20210113-01.xlsm ReversingLabs: Detection: 10%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ndrztpo.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pgjasrqd.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49313 version: TLS 1.2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDCEF8 FindFirstFileExW, 4_2_00CDCEF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004ECEF8 FindFirstFileExW, 6_2_004ECEF8

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\pgjasrqd.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\ndrztpo.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: lpxtpiw[1].zip.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bipolarmalta.mccarthy.ws
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 221.126.244.72:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 35.214.225.210:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49167
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49170
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49171
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49175
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49177
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49176
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49179
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49181
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49183
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49182
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49185
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49187
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49188
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49189
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49191
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49193
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49194
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49195
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49197
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49199
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49200
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49201
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49203
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49205
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49206
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49207
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49209
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49211
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49213
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49212
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49215
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49217
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49219
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49218
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49221
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49223
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49224
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49225
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49227
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49229
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49231
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49230
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49233
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49235
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49237
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49236
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49239
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49241
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49243
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49242
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49245
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49247
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49249
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49248
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49251
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49253
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49255
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49254
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49257
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49259
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49261
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49260
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49263
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49265
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49267
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49266
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49269
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49271
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49273
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49272
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49275
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49277
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49279
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49278
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49281
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49283
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49285
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49284
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49287
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49289
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49291
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49290
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49293
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49295
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49297
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49296
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49299
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49301
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49303
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49302
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49305
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49307
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49309
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49308
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49311
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49313
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.231.69.151:3889
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 13 Jan 2021 15:38:57 GMTContent-Type: application/zipContent-Length: 303616Connection: keep-aliveLast-Modified: Fri, 18 Dec 2020 21:13:44 GMTETag: "4a200-5b6c39557f200"alt-svc: quic=":443"; ma=86400; v="43,39"Host-Header: 624d5be7be38418a3e2a818cc8b7029bX-Proxy-Cache: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 f6 fb fe 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 72 04 00 00 2c 00 00 00 00 00 00 e0 1c 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 63 00 00 c8 00 00 00 00 f0 04 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 68 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 19 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 0a 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 1c 00 00 00 60 00 00 00 1e 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 50 02 00 00 00 80 00 00 00 04 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 34 00 00 cc 52 04 00 00 90 00 00 00 54 04 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 e8 00 00 00 00 f0 04 00 00 02 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 dc 05 00 00 00 00 05 00 00 06 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /lpxtpiw.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bipolarmalta.mccarthy.wsConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyu828kp.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: oudtshoornpharmacies.co.zaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /usc3d1.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sendgrid.invoteqleads.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknown TCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknown TCP traffic detected without corresponding DNS query: 195.231.69.151
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CE39F9 InternetReadFile, 4_2_00CE39F9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\272CF97F.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /lpxtpiw.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bipolarmalta.mccarthy.wsConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyu828kp.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: oudtshoornpharmacies.co.zaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /usc3d1.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sendgrid.invoteqleads.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385418324.0000000000598000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385418324.0000000000598000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bipolarmalta.mccarthy.ws
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp String found in binary or memory: http://crl.microsoft.v&
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.2116675387.0000000003292000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dbc0fc39602ef
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE~w5
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385418324.0000000000598000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000003.00000002.2385462250.0000000001E20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2385318587.0000000000690000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385314469.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2385487805.00000000009B0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2117872818.0000000001CF0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2386925336.0000000002380000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386727384.0000000002380000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: https://157.7.166.26/
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: https://157.7.166.26:5353/
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: https://195.231.69.151/
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp String found in binary or memory: https://195.231.69.151/c7
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp String found in binary or memory: https://195.231.69.151/d7
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: https://195.231.69.151:3889/
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp String found in binary or memory: https://195.231.69.151:3889/G
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp String found in binary or memory: https://195.231.69.151:3889/hy
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385411279.0000000000591000.00000004.00000020.sdmp String found in binary or memory: https://221.126.244.72/
Source: regsvr32.exe, 00000004.00000002.2385192060.00000000005CF000.00000004.00000020.sdmp String found in binary or memory: https://221.126.244.72/3
Source: regsvr32.exe, 00000004.00000002.2385192060.00000000005CF000.00000004.00000020.sdmp String found in binary or memory: https://221.126.244.72/O
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown Network traffic detected: HTTP traffic on port 49265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49296
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49295
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49290
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49289
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown Network traffic detected: HTTP traffic on port 49301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49283
Source: unknown Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49313
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49278
Source: unknown Network traffic detected: HTTP traffic on port 49295 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49277
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49272
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49308
Source: unknown Network traffic detected: HTTP traffic on port 49253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49307
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown Network traffic detected: HTTP traffic on port 49290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49265
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown Network traffic detected: HTTP traffic on port 49266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49253
Source: unknown Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown Network traffic detected: HTTP traffic on port 49296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknown HTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49313 version: TLS 1.2

E-Banking Fraud:

barindex
Detected Dridex e-Banking trojan
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CB5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, 4_2_00CB5150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004C5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, 6_2_004C5150

System Summary:

barindex
Document contains an embedded VBA macro which may execute processes
Source: VBA code instrumentation OLE, VBA macro: Module Module1, Function mi_1, API Run("listP_ab") Name: mi_1
Document contains an embedded VBA macro with suspicious strings
Source: sample20210113-01.xlsm OLE, VBA macro line: Wscript.echo Run("" & oo2 & "ab")
Source: VBA code instrumentation OLE, VBA macro: Module Module1, Function mi_1, String wscript: Wscript.echo Run("" & oo2 & "ab") Name: mi_1
Found Excel 4.0 Macro with suspicious formulas
Source: sample20210113-01.xlsm Initial sample: CALL
Source: sample20210113-01.xlsm Initial sample: CALL
Source: sample20210113-01.xlsm Initial sample: CALL
Source: sample20210113-01.xlsm Initial sample: CALL
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\ndrztpo.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\pgjasrqd.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC22A0 NtDelayExecution, 4_2_00CC22A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDBE30 NtClose, 4_2_00CDBE30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D22A0 NtDelayExecution, 6_2_004D22A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004EBE30 NtClose, 6_2_004EBE30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_0021B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess, 6_2_0021B780
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_0021BA14 NtSetInformationProcess, 6_2_0021BA14
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CB5150 4_2_00CB5150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC88C0 4_2_00CC88C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC8CC0 4_2_00CC8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC98DA 4_2_00CC98DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CBACD0 4_2_00CBACD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCA0D0 4_2_00CCA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCE0A0 4_2_00CCE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDDCA0 4_2_00CDDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD50A0 4_2_00CD50A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD4CA0 4_2_00CD4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD5CB0 4_2_00CD5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD1020 4_2_00CD1020
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCD030 4_2_00CCD030
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCFDD0 4_2_00CCFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD89F0 4_2_00CD89F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD71F0 4_2_00CD71F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCD980 4_2_00CCD980
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDD180 4_2_00CDD180
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCC590 4_2_00CCC590
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CBF9A0 4_2_00CBF9A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC7564 4_2_00CC7564
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CB1570 4_2_00CB1570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDFA10 4_2_00CDFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD3EC0 4_2_00CD3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CB6AD0 4_2_00CB6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC96D0 4_2_00CC96D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCF6E0 4_2_00CCF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCB6F0 4_2_00CCB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC8EF0 4_2_00CC8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD62F0 4_2_00CD62F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCAE80 4_2_00CCAE80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC8AB0 4_2_00CC8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD1EB0 4_2_00CD1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD26B0 4_2_00CD26B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD1240 4_2_00CD1240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCA660 4_2_00CCA660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD7660 4_2_00CD7660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD2E60 4_2_00CD2E60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CB9E70 4_2_00CB9E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC9E70 4_2_00CC9E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CBCA10 4_2_00CBCA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDFA10 4_2_00CDFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD0220 4_2_00CD0220
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDD620 4_2_00CDD620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC67C8 4_2_00CC67C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC83C0 4_2_00CC83C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC7FC0 4_2_00CC7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD7FC0 4_2_00CD7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCE3F0 4_2_00CCE3F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CCBF50 4_2_00CCBF50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC5B60 4_2_00CC5B60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD3B00 4_2_00CD3B00
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD9B10 4_2_00CD9B10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CD1730 4_2_00CD1730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004C5150 6_2_004C5150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E1020 6_2_004E1020
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DD030 6_2_004DD030
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D88C0 6_2_004D88C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D8CC0 6_2_004D8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D98DA 6_2_004D98DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004CACD0 6_2_004CACD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DA0D0 6_2_004DA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DE0A0 6_2_004DE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004EDCA0 6_2_004EDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E50A0 6_2_004E50A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E4CA0 6_2_004E4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E5CB0 6_2_004E5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D7564 6_2_004D7564
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004C1570 6_2_004C1570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DFDD0 6_2_004DFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E89F0 6_2_004E89F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E71F0 6_2_004E71F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DD980 6_2_004DD980
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004ED180 6_2_004ED180
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DC590 6_2_004DC590
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004CF9A0 6_2_004CF9A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E1240 6_2_004E1240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DA660 6_2_004DA660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E7660 6_2_004E7660
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E2E60 6_2_004E2E60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004C9E70 6_2_004C9E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D9E70 6_2_004D9E70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004CCA10 6_2_004CCA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004EFA10 6_2_004EFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E0220 6_2_004E0220
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004ED620 6_2_004ED620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004EFA10 6_2_004EFA10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E3EC0 6_2_004E3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004C6AD0 6_2_004C6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D96D0 6_2_004D96D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DF6E0 6_2_004DF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DB6F0 6_2_004DB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D8EF0 6_2_004D8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E62F0 6_2_004E62F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DAE80 6_2_004DAE80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D8AB0 6_2_004D8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E1EB0 6_2_004E1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E26B0 6_2_004E26B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DBF50 6_2_004DBF50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D5B60 6_2_004D5B60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E3B00 6_2_004E3B00
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E9B10 6_2_004E9B10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E1730 6_2_004E1730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D67C8 6_2_004D67C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D83C0 6_2_004D83C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D7FC0 6_2_004D7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004E7FC0 6_2_004E7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004DE3F0 6_2_004DE3F0
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: sample20210113-01.xlsm OLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentation OLE, VBA macro: Module Sheet1, Function view_1_a_Layout Name: view_1_a_Layout
Document contains embedded VBA macros
Source: sample20210113-01.xlsm OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.bank.expl.evad.winXLSM@11/18@3/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$sample20210113-01.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDC89.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: sample20210113-01.xlsm Virustotal: Detection: 25%
Source: sample20210113-01.xlsm ReversingLabs: Detection: 10%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll. Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: sample20210113-01.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: sample20210113-01.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: sample20210113-01.xlsm Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: lpxtpiw[1].zip.0.dr Static PE information: section name: .2
Source: lpxtpiw[1].zip.0.dr Static PE information: section name: .rdata2
Source: lpxtpiw[1].zip.0.dr Static PE information: section name: .text5
Source: lpxtpiw[1].zip.0.dr Static PE information: section name: .text4
Registers a DLL
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_0021BFB0 push edx; ret 6_2_0021C269
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001E7172 push dword ptr [ebp+ecx*8-49h]; retf 6_2_001E7176
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_002062CD pushad ; iretd 6_2_002062E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001FF6CD push esi; ret 6_2_001FF6D7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001E899D push 00000369h; ret 6_2_001E8A28
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001E89CD push 00000369h; ret 6_2_001E8A28
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_0020FB74 push esi; ret 6_2_0020FB8B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001E1D11 push FFFFFFD5h; ret 6_2_001E1D18
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001E0E8F push esi; ret 6_2_001E0E94

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\ndrztpo.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\pgjasrqd.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001F88DD rdtsc 6_2_001F88DD
Contains functionality to query network adapater information
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, 4_2_00CB5150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, 6_2_004C5150
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key enumerated: More than 188 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2804 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -516000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -162000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -524000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -124000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -274000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -257000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -177000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -178000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -338000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -276000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -616000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -322000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -308000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -268000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -146000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -173000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -286000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -176000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -121000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -488000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -145000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -248000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -252000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -167000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -282000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -290000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -152000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -252000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -148000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -307000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -128000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -306000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -256000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -123000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -253000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -163000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -254000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -132000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -316000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -278000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -155000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -301000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -134000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -165000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -171000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -156000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -241000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -144000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -326000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -322000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -159000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976 Thread sleep time: -281000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2472 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -152000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -260000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -344000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -144000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -148000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -307000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -308000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -338000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -305000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -326000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -246000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -298000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -492000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -302000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -340000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -292000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -161000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -330000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -126000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -267000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -157000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -241000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -320000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -129000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -255000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -128000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -142000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -322000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -177000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -121000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -276000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -312000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -159000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -127000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -317000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -132000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -242000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -176000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -168000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -301000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -145000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -138000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -349000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -125000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -170000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -257000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -327000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -139000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -283000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -158000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -135000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -279000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -162000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -278000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -155000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -149000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -261000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768 Thread sleep time: -173000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CDCEF8 FindFirstFileExW, 4_2_00CDCEF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004ECEF8 FindFirstFileExW, 6_2_004ECEF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC3930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, 4_2_00CC3930

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001F88DD rdtsc 6_2_001F88DD
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC6C50 LdrLoadDll, 4_2_00CC6C50
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_0021B5D0 mov eax, dword ptr fs:[00000030h] 6_2_0021B5D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_0021B6E0 mov eax, dword ptr fs:[00000030h] 6_2_0021B6E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC7A60 RtlAddVectoredExceptionHandler, 4_2_00CC7A60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_004D7A60 RtlAddVectoredExceptionHandler, 6_2_004D7A60

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 157.7.166.26 233 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 195.231.69.151 49 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 221.126.244.72 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. Jump to behavior
Source: regsvr32.exe, 00000003.00000002.2385426896.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2386762795.0000000000F80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385254744.00000000008F0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386448595.0000000000F80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.2385426896.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2386762795.0000000000F80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385254744.00000000008F0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386448595.0000000000F80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.2385426896.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2386762795.0000000000F80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385254744.00000000008F0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386448595.0000000000F80000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00CC2980 GetUserNameW, 4_2_00CC2980
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339173 Sample: sample20210113-01.xlsm Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 10 other signatures 2->50 7 EXCEL.EXE 243 68 2->7         started        process3 dnsIp4 38 bipolarmalta.mccarthy.ws 35.214.225.210, 49165, 80 GOOGLE-2US United States 7->38 40 oudtshoornpharmacies.co.za 154.66.197.71, 49166, 80 DIAMATRIXZA South Africa 7->40 42 sendgrid.invoteqleads.com 104.24.124.127, 49169, 80 CLOUDFLARENETUS United States 7->42 24 C:\Users\user\AppData\Local\...\pgjasrqd.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\ndrztpo.dll, PE32 7->26 dropped 28 C:\Users\user\AppData\...\lpxtpiw[1].zip, PE32 7->28 dropped 30 2 other malicious files 7->30 dropped 56 Document exploit detected (creates forbidden files) 7->56 58 Document exploit detected (process start blacklist hit) 7->58 60 Document exploit detected (UrlDownloadToFile) 7->60 12 regsvr32.exe 7->12         started        14 regsvr32.exe 7->14         started        16 regsvr32.exe 7->16         started        file5 signatures6 process7 process8 18 regsvr32.exe 11 12->18         started        22 regsvr32.exe 9 14->22         started        dnsIp9 32 157.7.166.26, 49172, 49174, 49178 INTERQGMOInternetIncJP Japan 18->32 34 221.126.244.72, 443, 49167, 49170 HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK Hong Kong 18->34 36 195.231.69.151, 3889, 49171, 49173 ARUBA-CLOUDIT Italy 18->36 52 Detected Dridex e-Banking trojan 18->52 54 System process connects to network (likely due to code injection or exploit) 22->54 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.231.69.151
unknown Italy
202242 ARUBA-CLOUDIT true
154.66.197.71
unknown South Africa
327979 DIAMATRIXZA false
104.24.124.127
unknown United States
13335 CLOUDFLARENETUS false
35.214.225.210
unknown United States
19527 GOOGLE-2US false
157.7.166.26
unknown Japan 7506 INTERQGMOInternetIncJP true
221.126.244.72
unknown Hong Kong
9304 HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK true

Contacted Domains

Name IP Active
sendgrid.invoteqleads.com 104.24.124.127 true
bipolarmalta.mccarthy.ws 35.214.225.210 true
oudtshoornpharmacies.co.za 154.66.197.71 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bipolarmalta.mccarthy.ws/lpxtpiw.zip true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://sendgrid.invoteqleads.com/usc3d1.rar false
  • Avira URL Cloud: safe
unknown
http://oudtshoornpharmacies.co.za/dyu828kp.rar false
    high